CVE-2023-38950
high-risk
Published 2023-08-03
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.
Do I need to act?
!
83.4% chance of exploitation in next 30 days
EPSS score — higher than 17% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (7)
Product
http://zkteco.com
Third Party Advisory
https://claroty.com/team82/disclosure-dashboard/cve-2023-38950
Product
http://zkteco.com
Third Party Advisory
https://claroty.com/team82/disclosure-dashboard/cve-2023-38950
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-...
Technical Description
https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-res...
58
/ 100
high-risk
Severity
26/34 · High
Exploitability
27/34 · High
Exposure
5/34 · Minimal