CVE-2023-38950: A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers...
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.
Security readout for executives and security teams
Plain-English summary
CVE-2023-38950 lets an unauthenticated attacker read arbitrary files from ZKTeco BioTime v8.5.5 through the iclock API. This can expose sensitive server files without needing a password. CISA lists it in the Known Exploited Vulnerabilities catalog, so organizations should treat it as actively exploited.
Executive priority
Prioritize remediation immediately. This is not just a theoretical bug: CISA tracks it as known exploited. Exposure can lead to sensitive file disclosure from systems often connected to employee time, attendance, biometric, or access-control environments.
Technical view
The flaw is a CWE-22 path traversal in the iclock API of ZKTeco BioTime v8.5.5. CVSS 3.1 is 7.5: network-reachable, low complexity, no privileges, no user interaction, high confidentiality impact only. The source bundle states it was fixed in ZKBioTime version 9.0.120240617.19506.
Likely exposure
Confirmed exposure is ZKTeco BioTime v8.5.5. The provided affected-product table is incomplete, so broader version impact is not established here. Highest concern is any internet-accessible BioTime/ZKBioTime deployment, especially systems tied to workforce, biometric, or access-control operations.
Exploitation context
CISA KEV inclusion supports known exploitation in the wild. The bundle also references a public exploit listing, increasing attacker accessibility. The provided sources do not establish exploitation scale, specific threat actors, or affected geographies for this CVE.
Researcher notes
Do not rely on the NVD-style affected table in the bundle; it is incomplete. The clearest sourced affected version is BioTime v8.5.5, with a stated fixed ZKBioTime build. Public exploit availability is indicated, but this analysis intentionally omits payload and exploitation detail.
Mitigation direction
Upgrade to ZKBioTime version 9.0.120240617.19506 or later if applicable.
Review ZKTeco and Claroty guidance for current product-specific instructions.
Remove public internet exposure for BioTime/ZKBioTime management and API interfaces.
Restrict access to trusted networks, VPNs, or management segments.
Investigate possible file disclosure if the system was exposed before remediation.
Validation and detection
Inventory BioTime/ZKBioTime deployments and confirm exact installed versions.
Identify whether any iclock API endpoint is externally reachable.
Check CISA KEV for current due-date and exploitation status.
Review application, web, proxy, and WAF logs for suspicious traversal attempts.
Verify remediation by confirming the fixed version is installed.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-22: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-22 · source CWE mapping
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.