User Enumeration and Default Password Vulnerability in ZKTeco BioTime
CVE-2024-13966

6.9MEDIUM

Key Information:

Vendor: Zkteco
Status: Biotime
Vendor: CVE Published:; 27 May 2025

What is CVE-2024-13966?

ZKTeco's BioTime software is susceptible to a serious vulnerability that allows unauthenticated attackers to enumerate usernames within the system. Furthermore, attackers can exploit this flaw to log in as any user whose password remains unchanged from the default value of '123456'. It is crucial for users to immediately change their passwords to enhance security and prevent unauthorized access. Users can find the password change option under the Attendance Settings tab labeled as 'Self-Password'.

Affected Version(s)

BioTime *

References

https://krashconsulting.com/fury-of-fingers-biotime-rce/

https://zkteco-store.ru/wp-content/uploads/2023/09/ZKBio-...

https://www.cve.org/CVERecord?id=CVE-2024-13966

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2025
Vulnerability Reserved
May 23, 2025

Zkteco

What is CVE-2024-13966?

Affected Version(s)

References

CVSS V4

Timeline