CVE-2023-38950
HIGH CISA KEVCVSS v3.1: 7.5 · EPSS: 0.8488 (99.7 percentile) · CISA KEV: Yes
Source data as of:
At a glance
- Severity
- HIGH
- CVSS
- 7.5 v3.1 · NVD
- EPSS
- 0.8488 (99.7 percentile) · FIRST.org
- CISA KEV
- Yes KEV added: 2025-05-19
- Type
- Path Traversal · NVD CWE
- Attack conditions (CVSS vector)
- NetworkNo privilegesNo user interaction · Source: NVD Vector
- Affected vendors
- zkteco
- Published
- 2023-08-03 · Modified: 2026-07-05
- References
- Jump to references (5)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Reference https://claroty.com/team82/disclosure-dashboard/cve-2023-38950
- Reference http://zkteco.com
- Reference https://sploitus.com/exploit?id=PACKETSTORM:177859
- CISA https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38950
- Reference https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-midd…