CVE-2025-15128

MEDIUM

ZKTeco BioTime <9.0.3/9.0.4/9.5.2 - Info Disclosure

Title source: llm

Description

A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of the component Endpoint. Performing a manipulation of the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

[Permissions Required, VDB Entry] https://vuldb.com/?id.338506

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.338506

[Permissions Required, VDB Entry] https://vuldb.com/?submit.711813

[Various Sources] https://github.com/ionutluca888/IDOR-POC-ZKBio-Time/tree/main

View Exploit ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0001

EPSS Percentile 1.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-255 CWE-256

Status published

Products (8)

ZKTeco/BioTime 9.0.0

ZKTeco/BioTime 9.0.1

ZKTeco/BioTime 9.0.2

ZKTeco/BioTime 9.0.3

ZKTeco/BioTime 9.0.4

ZKTeco/BioTime 9.5.0

ZKTeco/BioTime 9.5.1

ZKTeco/BioTime 9.5.2

Published Dec 28, 2025

Tracked Since Feb 18, 2026