Cyber Resilience

CVE-2023-38951

Critical

Published: 03 August 2023

Published
03 August 2023
Modified
27 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1556 94.8th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38951 is a critical-severity Path Traversal (CWE-22) vulnerability in Zkteco Biotime. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

ZKTeco BioTime versions 8.5.5 through 9.x prior to 9.0.1 (build 20240617.19506) contain a path traversal flaw combined with missing input sanitization in the /base/sftpsetting/ endpoints. The Username field accepts directory traversal sequences while the SSH Key field accepts unsanitized content, enabling an attacker to create or overwrite arbitrary files on the underlying Windows server.

An authenticated remote attacker can supply a crafted request that writes files to sensitive locations such as system directories or startup folders. Successful overwrite of specific files yields arbitrary code execution with NT AUTHORITY\SYSTEM privileges, giving the attacker full control of the host.

Vendor references point to an updated BioTime release (9.0.1 build 20240617.19506) available from the ZKTeco download site and an accompanying announcement that addresses the issue. Public proof-of-concept code has also been published that demonstrates enumeration and exploitation of the endpoints.

The EPSS score has remained flat at 0.1758 with no material increase after disclosure.

EU & UK References

Vulnerability details

ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of…

more

input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zkteco
biotime
8.5.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References