ZKTeco BioTime
Easy fix1 remedy
cpe:2.3:a:zkteco:biotime:*:*:*:*:*:*:*
Easy fix1 remedy
- <= 123456
ZKTeco BioTime Default Password Vulnerability
Vulnerability
A vulnerability in ZKTeco BioTime allows unauthenticated attackers to log in as any user whose password has not been changed from the default '123456'. This issue arises because usernames can be easily enumerated, and the application does not properly validate user roles, enabling employees to perform administrative actions. Users are advised to change their passwords through the 'Self-Password' option in the Attendance Settings.
Impact
Exploitation of this vulnerability allows unauthorized access to user accounts, with the potential for privilege escalation to administrative rights, depending on the account accessed.
Reproduction
The vulnerability can be reproduced by enumerating usernames and attempting to log in with the default password '123456'. Once logged in, if the account has administrative privileges, it is possible to perform admin actions.
Remediation
Users should change their passwords in the Attendance Settings under 'Self-Password'.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
0.3impact
1.3exploitability
9.1remediation
8.3relevance
0.0threat
6.4urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.