Aggregates CVE and security vulnerability intelligence across all zkteco-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and vendor risk path handling and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-13966 | ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords (located under the Attendance Settings tab as "Self-Password"). | 9119a7d8-5eab-497f-8521-727c672e3725 | 6.9 | 0.63% | 2025-05-27 | 2025-09-26 |
| CVE-2025-45746 | In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result in login access or data access in the context of the application software platform. | [email protected] | 6.5 | 0.86% | 2025-05-13 | 2025-05-21 |
| CVE-2024-11049 | A vulnerability classified as problematic has been found in ZKTeco ZKBio Time 9.0.1. Affected is an unknown function of the file /auth_files/photo/ of the component Image File Handler. The manipulation leads to direct request. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in a | [email protected] | 6.3 | 0.16% | 2024-11-10 | 2024-11-23 |
| CVE-2023-51157 | Cross Site Scripting vulnerability in ZKTeco WDMS v.5.1.3 Pro allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted script to the Emp Name parameter. | [email protected] | 5.4 | 0.78% | 2024-09-25 | 2024-10-02 |
| CVE-2024-36526 | ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key. | [email protected] | 9.8 | 0.32% | 2024-07-09 | 2025-06-17 |
| CVE-2024-6523 | A vulnerability was found in ZKTeco BioTime up to 9.5.2. It has been classified as problematic. Affected is an unknown function of the component system-group-add Handler. The manipulation of the argument user with the input <script>alert('XSS')</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-270366 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about thi | [email protected] | 5.3 | 0.09% | 2024-07-05 | 2024-11-21 |
| CVE-2024-6344 | A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of the argument Configuration Name leads to cross site scripting. It is possible to initiate the attack remotely. It is recommended to upgrade the affected component. The vendor explains, that "[s]ince ZKBio CVSecurity v5000 has been withdrawn from the market, we recommend upgrading to ZKBio CVSecurity V | [email protected] | 1.9 | 0.10% | 2024-06-26 | 2026-04-29 |
| CVE-2024-6006 | A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Summer Schedule Handler. The manipulation of the argument Schedule Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor explains, "that ZKBio Security V5000 has been withdrawn from the market and [is] recommended for upgrading to the ZKB | [email protected] | 2.0 | 0.17% | 2024-06-15 | 2026-04-29 |
| CVE-2024-6005 | A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Department Section. The manipulation of the argument Department Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor explains, "that ZKBio Security V5000 has been withdrawn from the market and [is] recommended for upgrading to t | [email protected] | 2.0 | 0.17% | 2024-06-15 | 2026-04-29 |
| CVE-2024-35433 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user. | [email protected] | 8.1 | 0.07% | 2024-05-30 | 2025-06-17 |
| CVE-2024-35431 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. NOTE: Third parties have indicated other versions are also vulnerable including up to 6.4.1. | [email protected] | 7.5 | 2.97% | 2024-05-30 | 2025-06-17 |
| CVE-2024-35429 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord. | [email protected] | 6.5 | 0.45% | 2024-05-30 | 2024-11-21 |
| CVE-2024-35428 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS. | [email protected] | 7.1 | 0.70% | 2024-05-30 | 2025-03-13 |
| CVE-2024-35432 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An authenticated user can injection malicious JavaScript code to trigger a Cross Site Scripting. | [email protected] | 6.1 | 0.23% | 2024-05-30 | 2025-06-17 |
| CVE-2024-35430 | In ZKTeco ZKBio CVSecurity v6.1.1_R and earlier (fixed in 6.1.3_R) an authenticated user can bypass password checks while exporting data from the application. | [email protected] | 8.1 | 0.09% | 2024-05-30 | 2025-07-09 |
| CVE-2023-51142 | An issue in ZKTeco BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information. | [email protected] | 7.5 | 0.32% | 2024-04-11 | 2025-06-20 |
| CVE-2023-51141 | An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component | [email protected] | 6.5 | 0.23% | 2024-04-11 | 2025-04-18 |
| CVE-2024-2318 | A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: '../filedir'. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1.3 Build 2025-05-26-1605 is a | [email protected] | 2.1 | 0.52% | 2024-03-08 | 2026-04-29 |
| CVE-2024-22988 | ZKteco ZKBio WDMS before 9.0.2 Build 20250526 allows an attacker to download a database backup via the /files/backup/ component because the filename is based on a predictable timestamp. | [email protected] | 9.8 | 0.11% | 2024-02-23 | 2025-06-07 |
| CVE-2024-1706 | A vulnerability was determined in ZKTeco ZKBio Access IVS up to 3.3.2. This impacts an unknown function of the component Department Name Search Bar. This manipulation with the input <marquee>hi causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor explains: "ZKBio Access IVS is no longer maintained and the product has been replaced by ZKBio CVAccess, it is recommended to replace it with the latest versi | [email protected] | 2.0 | 0.10% | 2024-02-21 | 2026-04-29 |