| Title | ZkBioTime CMS 9.0.3, 9.0.4, 9.5.2 IDOR |
|---|
| Description | ZKTeco BioTime – Critical IDOR and Sensitive Information Exposure Across Multiple Versions (Unauthenticated + Low Privilege + Regression)
Description
A critical Insecure Direct Object Reference (IDOR) vulnerability exists in multiple versions of ZKTeco BioTime, allowing attackers to directly access the sensitive configuration endpoint:
```
/base/safe_setting/
```
The endpoint returns HTML containing the parameters:
```
backup_encryption_password_decrypt
export_encryption_password_decrypt
```
These values are exposed in cleartext, and during real-world penetration testing were found to be identical to the default administrator account password.
Successful exploitation results in immediate full administrative compromise of the BioTime instance.
This issue affects multiple versions, with varying severity depending on the release.
It was originally exploitable without authentication, later became accessible to low-privilege authenticated users, and was then reintroduced as an unauthenticated vulnerability in a newer build, before finally being fixed.
This represents a patch bypass, incomplete fix, and regression vulnerability, significantly increasing impact and scope.
Affected Versions
BioTime 9.0.3 — Critical (Unauthenticated IDOR)
```
/base/safe_setting/
```
fully accessible without authentication
Cleartext administrative encryption passwords exposed
Results in full admin takeover
ZKBioTime 9.0.4 Build20250624 — High (Low-Privilege IDOR)
Vendor-claimed fix
Endpoint requires authentication but no authorization controls
Any low-privilege user can retrieve cleartext password fields
Still results in admin compromise
BioTime x.x.x.x Build20250428.2823 — Critical (Unauthenticated Regression)
Vulnerability reintroduced
Endpoint again accessible without authentication
Full cleartext password disclosure
Identical impact as 9.0.3
Fixed Version: ZKBioTime 9.0.6
Endpoint protected
No sensitive information exposed
Authorization checks enforced
This vulnerability allows complete compromise of the BioTime system, even in deployments where the administrative interface is exposed to internal or external networks.
Vulnerability Classification
IDOR / Broken Access Control (CWE-639, CWE-284)
Sensitive Information Exposure (CWE-200)
Improper Access Control (CWE-863)
Regression Vulnerability
Incomplete Fix / Patch Bypass
Severity: CRITICAL
Proof of Concept
A full PoC with screenshots demonstrating exploitation across all affected versions is available here:
???? GitHub PoC Repository:
https://github.com/ionutluca888/ZKBioTime-IDOR-POC
The repository includes:
Unauthenticated exploitation (9.0.3, 9.5.2)
Low-privilege exploitation (9.0.4)
Response dumps containing cleartext password fields
Version-specific evidence and build numbers
Vendor Status
The issue was reported to ZKTeco when 9.0.4 was the latest public version.
Vendor acknowledged the class of issue but did not assign a CVE and provided no public advisory covering this specific vulnerability.
Testing confirmed:
9.0.4 remained vulnerable (incomplete fix)
9.5.2 re-introduced the vulnerability (regression)
9.0.6 is the first fully fixed release
No CVE exists for this vulnerability despite its severity and widespread impact.
|
|---|
| Source | ⚠️ https://github.com/ionutluca888/IDOR-POC-ZKBio-Time/tree/main |
|---|
| User | luca_irinel (UID 85391) |
|---|
| Submission | 12/10/2025 14:46 (6 months ago) |
|---|
| Moderation | 12/27/2025 10:08 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 338506 [ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2 Endpoint /base/safe_setting/ credentials storage] |
|---|
| Points | 20 |
|---|