CVE-2024-13966

ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords (located under the Attendance Settings tab as "Self-Password").

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://krashconsulting.com/fury-of-fingers-biotime-rce/	Third Party Advisory
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-148-01.json	Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2024-13966	Third Party Advisory
https://zkteco-store.ru/wp-content/uploads/2023/09/ZKBio-CVSecurity-6.0.0-User-Manual_EN-v1.0_20230616.pdf	Product
https://www.zkteco.com/en/Security_Bulletinsibs/18	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zkteco:biotime:*:*:*:*:*:*:*:*

History

26 Sep 2025, 14:01

Type	Values Removed	Values Added
CPE		cpe:2.3:a:zkteco:biotime::::::::
First Time		Zkteco Zkteco biotime
References	~~() https://krashconsulting.com/fury-of-fingers-biotime-rce/ -~~	() https://krashconsulting.com/fury-of-fingers-biotime-rce/ - Third Party Advisory
References	~~() https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-148-01.json -~~	() https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-148-01.json - Third Party Advisory
References	~~() https://www.cve.org/CVERecord?id=CVE-2024-13966 -~~	() https://www.cve.org/CVERecord?id=CVE-2024-13966 - Third Party Advisory
References	~~() https://zkteco-store.ru/wp-content/uploads/2023/09/ZKBio-CVSecurity-6.0.0-User-Manual_EN-v1.0_20230616.pdf -~~	() https://zkteco-store.ru/wp-content/uploads/2023/09/ZKBio-CVSecurity-6.0.0-User-Manual_EN-v1.0_20230616.pdf - Product
References	~~() https://www.zkteco.com/en/Security_Bulletinsibs/18 -~~	() https://www.zkteco.com/en/Security_Bulletinsibs/18 - Vendor Advisory

14 Jul 2025, 15:15

Type	Values Removed	Values Added
References		() https://www.zkteco.com/en/Security_Bulletinsibs/18 -

28 May 2025, 19:15

Type	Values Removed	Values Added
References		() https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-148-01.json - () https://www.cve.org/CVERecord?id=CVE-2024-13966 -

28 May 2025, 15:01

Type	Values Removed	Values Added
Summary		(es) ZKTeco BioTime permite a atacantes no autenticados enumerar nombres de usuario e iniciar sesión como cualquier usuario con una contraseña que no sea la predeterminada "123456". Los usuarios deben cambiar sus contraseñas (ubicadas en la pestaña "Configuración de Asistencia" como "Contraseña propia").

27 May 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-27 19:15

Updated : 2025-09-26 14:01

NVD link : CVE-2024-13966

Mitre link : CVE-2024-13966

CVE.ORG link : CVE-2024-13966

JSON object : View

Products Affected

zkteco

biotime

CWE

CWE-1393

Use of Default Password

7.3 /10