External risk intelligence

ZKTeco BioTime Arbitrary File Write and Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2023-38951

ZKTeco BioTime is a workforce management and time attendance application typically deployed as a web-based service. Such systems are commonly configured as internally or externally accessible web portals to allow employee and administrator access, placing the web interface and its underlying endpoints in a position where they are frequently reachable over network segments.

Path Traversal

Zkteco Biotime

8.5.5

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects ZKTeco BioTime software, which is used for workforce management and time attendance. It allows unauthorized access to create or modify files on the server, potentially leading to the execution of malicious code. The primary concern is to confirm if your organization uses this software and if it is exposed to potential exploitation.

  • Attackers can write to server files.
  • Matters if using ZKTeco timekeeping software.
  • Confirm use and exposure of BioTime.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests to specific server endpoints. These requests leverage a path traversal flaw and a lack of input sanitization, allowing the attacker to create or overwrite arbitrary files on the server. This could ultimately lead to the execution of malicious code with high system privileges.

  • Requires network access to the vulnerable application.
  • Crafts requests to specific file-related endpoints.
  • Enables arbitrary code execution as SYSTEM.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, authenticated attackers could create or overwrite arbitrary files on the server by exploiting path traversal and a lack of input sanitization. This could potentially lead to the execution of arbitrary code with SYSTEM privileges on the server.

  • Server files and service integrity.
  • Via crafted requests to specific endpoints.
  • Arbitrary code execution as SYSTEM.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in ZKTeco BioTime affects applications handling user data and system configurations. Responsibility for remediation likely falls to the application owners and infrastructure teams managing the BioTime deployment, in coordination with security operations for exposure assessment. The immediate first step is to locate all instances of the affected software, determine their reachability and business criticality, and then prioritize remediation based on risk, potentially involving vendor coordination for an update.

  • Identify all BioTime deployments.
  • Verify external reachability and business impact.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is ZKTeco BioTime?

ZKTeco BioTime is a workforce management and time attendance platform. It serves as a centralized web-based hub where organizations track employee hours, manage schedules, and handle biometric data. Because it acts as a web portal for administrative and employee tasks, it often resides on servers that connect to local networks or the public internet.

How does CVE-2023-38951 impact the server?

This vulnerability involves a path traversal weakness, categorized as CWE-22. It allows an attacker to manipulate file paths, effectively letting them create or overwrite files anywhere on the host system. Because the application lacks proper input sanitization in its settings fields, this file-write capability can be leveraged to execute malicious commands with the highest level of system privileges.

Do I need to be logged in to trigger this bug?

Yes, exploiting this vulnerability requires authentication. The flaw resides in how the server processes requests to specific file-related endpoints; it does not trigger through unauthorized, unauthenticated access. However, once an attacker has authenticated access to the interface, they can supply crafted data in specific input fields to bypass existing file protections.

Is my BioTime installation at risk?

If you host this software, your risk depends on network reachability. Halo Surface Signal identifies ZKTeco BioTime as a web-based service frequently configured for either internal or external network access. If your specific instance is reachable across network segments—especially if it faces the public internet—it is more accessible to potential attackers.

What is the recommended first step to respond?

Start by identifying every instance of BioTime running in your environment. Once you have a complete inventory, verify the reachability and business criticality of each server. After assessing your footprint, coordinate with your infrastructure team to prioritize applying vendor updates to resolve the flaw and mitigate the risk of unauthorized system-level access.

References