CVE-2023-38949

Name of the Vulnerable Software and Affected Versions ZKTeco BioTime version 8.5.5

Description The issue is related to a hidden API in the ZKTeco BioTime platform, which allows unauthenticated attackers to reset the Administrator password via a crafted web request. This can be exploited by a remote attacker, potentially leading to unauthorized access. The vulnerability is associated with the use of dangerous methods or functions in the web platform's interface.

Recommendations For ZKTeco BioTime version 8.5.5, consider restricting access to the hidden API endpoint until a patch is available. As a temporary workaround, limit the ability to reset the Administrator password to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.