CVE-2025-15128
Unprotected Credential Storage in ZKTeco BioTime Endpoint Component
Publication date: 2025-12-28
Last updated on: 2026-02-24
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zkteco | biotime | 9.0.4 |
| zkteco | biotime | 9.0.3 |
| zkteco | biotime | 9.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-255 | |
| CWE-256 | The product stores a password in plaintext within resources such as memory or files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ZKTeco BioTime versions up to 9.0.3, 9.0.4, and 9.5.2, specifically in an unknown part of the /base/safe_setting/ component called Endpoint. It involves manipulation of the arguments backup_encryption_password_decrypt and export_encryption_password_decrypt, which leads to unprotected storage of credentials. This means sensitive credential information is stored without proper encryption or protection, and the vulnerability can be exploited remotely. The exploit is publicly available.
How can this vulnerability impact me? :
The vulnerability can lead to exposure of sensitive credentials due to unprotected storage, which can be accessed remotely by attackers. This can compromise the security of the affected system, potentially allowing unauthorized access or further exploitation. However, the impact is limited to confidentiality as the integrity and availability are not affected according to the CVSS scores.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability leads to unprotected storage and exposure of sensitive administrative credentials, allowing unauthorized access and full administrative compromise of the affected system. This exposure of sensitive information and lack of proper access controls can result in violations of data protection and security requirements mandated by common standards and regulations such as GDPR and HIPAA, which require safeguarding sensitive data and ensuring proper access controls. Therefore, exploitation of this vulnerability could negatively impact compliance with these regulations by compromising confidentiality and security of sensitive information. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by attempting to access the vulnerable endpoint `/base/safe_setting/` on your ZKTeco BioTime system. For versions 9.0.3 and 9.5.2, this endpoint is accessible without authentication and returns HTML containing cleartext sensitive passwords. A simple command to test this is: `curl http://<target>/base/safe_setting/` If the response contains the fields `backup_encryption_password_decrypt` and `export_encryption_password_decrypt` with cleartext passwords, your system is vulnerable. For version 9.0.4, authentication is required but authorization is missing, so a low-privilege authenticated user can also access this endpoint with a similar curl command including session cookies. Monitoring network traffic for HTTP GET requests to `/base/safe_setting/` can also help detect exploitation attempts. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Restrict remote access to the vulnerable endpoint `/base/safe_setting/` by applying firewall rules to limit access only to trusted internal networks. 2. Upgrade the ZKTeco BioTime software to version 9.0.6 or later, where the vulnerability is fully fixed with proper authorization checks and no sensitive information exposure. 3. Monitor for any unauthorized access attempts to the endpoint. Since the vendor did not provide a patch before 9.0.6, network-level restrictions are critical to reduce exposure until the upgrade can be performed. [1, 3]