CVE-2025-15128

MEDIUM EPSS 18.9%
Published Dec 28, 20256mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 4.0
Medium
Find Similar
Published Dec 28, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago

Description

A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of the component Endpoint. Performing a manipulation of the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 9.0.6 is able to mitigate this issue. It is recommended to upgrade the affected component. The vendor confirms: "The mainstream version ZKBioTime V9.0.6 has fixed this vulnerability. Please update to the latest version as soon as possible. For the Middle East version BioTime 9.5.X, you can contact the local technical support to obtain the fix package."

CVSS Details

Base Score
5.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
18.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-255
CWE-256

References 6

  • github.com https://github.com/ionutluca888/IDOR-POC-ZKBio-Time/tree/main
  • vuldb.com https://vuldb.com/cve/CVE-2025-15128
  • vuldb.com https://vuldb.com/submit/711813
  • vuldb.com https://vuldb.com/vuln/338506
  • vuldb.com https://vuldb.com/vuln/338506/cti
  • zkteco.com https://www.zkteco.com/en/Security_Bulletinsibs/24

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.