CVE-2023-38950 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2023-08-03

Added to CISA KEV: 2025-05-19 655 DAYS BETWEEN CVE AND KEV

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately upgrade to ZKBioTime version 9.0.120240617.19506 or later
If immediate patching is not possible, restrict network access to the iclock API and implement WAF rules to block path traversal attempts
Monitor for suspicious API requests containing '../' or encoded path traversal sequences in iclock API endpoints
Review system logs for evidence of arbitrary file access attempts
Implement network segmentation to limit exposure of BioTime systems

CVE-2023-38950 is a high-severity path traversal vulnerability affecting the `iclock` API in ZKTeco BioTime version 8.5.5 ^[1] ^[3].

Attack Method: The vulnerability allows an unauthenticated attacker to read arbitrary files from the server by sending a specially crafted request to the `iclock` API ^[1] ^[2].
Requirements: Exploitation is performed over the network and does not require user interaction or authentication ^[3] ^[2].
Impact: Successful exploitation provides attackers with access to sensitive information, such as configuration files or credentials, which can be used to facilitate further attacks against the affected system ^[2].

Active Exploitation: CrowdSec has been tracking this vulnerability and its exploitation since June 25, 2025 ^[2].
Usage: While the vulnerability is known to be exploited in the wild, there is no specific public documentation linking it to widespread ransomware campaigns or identifying specific threat actors using it in targeted attacks at this time.

Affected Version: ZKTeco BioTime v8.5.5 ^[1].
Patch Status: The vulnerability was addressed and fixed in ZKBioTime version 9.0.120240617.19506 ^[1] ^[4]. Users are advised to update to this version or later to mitigate the risk.

CVE-2023-38950 Detail - NVD
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted ... CVE-2023-38950 Detail Description A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers…
ZKBio Time - Path Traversal (CVE-2023-38950) | CrowdSec Console
CVE-2023-38950 is a path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 which allows unauthenticated attackers to read arbitrary files on the server by sending specially crafted requests. This security flaw could be exploited to access sensitive information, configuration files,…
CVE-2023-38950 | High Vulnerability in ZKTeco BioTime
CVE-2023-38950 is a high-severity path traversal vulnerability affecting ZKTeco BioTime v8.5.5. Unauthenticated attackers can exploit this flaw ... Vulnerability Details The vulnerability detailed in CVE-2023-38950 is classified as a path traversal vulnerability affecting the iclock API of ZKTeco Bi…
CVE-2023-38950 : A path traversal vulnerability in the iclock API of ...
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.

🔴 CVE-2023-38950