Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

N/A

Source -

N/A

CNA CVEs -

0

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
8Vulnerabilities found
CVE-2025-45746
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 41.29%
||
7 Day CHG~0.00%
Published-13 May, 2025 | 00:00
Updated-21 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result in login access or data access in the context of the application software platform.

Action-Not Available
Vendor-ZKTeco Co., Ltd.
Product-zkbio_cvsecurityZKBio CVSecurity
CWE ID-CWE-321
Use of Hard-coded Cryptographic Key
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2024-36526
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.32% / 54.41%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 00:00
Updated-17 Jun, 2025 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key.

Action-Not Available
Vendor-n/aZKTeco Co., Ltd.
Product-zkbio_cvsecurityn/azkbio_cvsecurity
CWE ID-CWE-259
Use of Hard-coded Password
CVE-2024-35433
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.10% / 27.41%
||
7 Day CHG~0.00%
Published-30 May, 2024 | 17:10
Updated-17 Jun, 2025 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user.

Action-Not Available
Vendor-n/aZKTeco Co., Ltd.
Product-zkbio_cvsecurityn/azkbio_cvsecurity
CWE ID-CWE-284
Improper Access Control
CVE-2024-35428
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.1||HIGH
EPSS-0.79% / 72.83%
||
7 Day CHG~0.00%
Published-30 May, 2024 | 17:02
Updated-13 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS.

Action-Not Available
Vendor-n/aZKTeco Co., Ltd.
Product-zkbio_cvsecurityn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-35429
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 49.00%
||
7 Day CHG~0.00%
Published-30 May, 2024 | 16:20
Updated-13 Feb, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord.

Action-Not Available
Vendor-n/aZKTeco Co., Ltd.
Product-zkbio_cvsecurityn/azkbio_cvsecurity
CWE ID-CWE-31
Path Traversal: 'dir\..\..\filename'
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-35431
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.30% / 78.89%
||
7 Day CHG~0.00%
Published-30 May, 2024 | 16:10
Updated-17 Jun, 2025 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. NOTE: Third parties have indicated other versions are also vulnerable including up to 6.4.1.

Action-Not Available
Vendor-n/aZKTeco Co., Ltd.
Product-zkbio_cvsecurityn/azkbio_cvsecurity
CWE ID-CWE-31
Path Traversal: 'dir\..\..\filename'
CVE-2024-35432
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 38.68%
||
7 Day CHG~0.00%
Published-30 May, 2024 | 16:05
Updated-17 Jun, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An authenticated user can injection malicious JavaScript code to trigger a Cross Site Scripting.

Action-Not Available
Vendor-n/aZKTeco Co., Ltd.
Product-zkbio_cvsecurityn/azkbio_cvsecurity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-35430
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.07% / 21.14%
||
7 Day CHG~0.00%
Published-30 May, 2024 | 15:55
Updated-09 Jul, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In ZKTeco ZKBio CVSecurity v6.1.1_R and earlier (fixed in 6.1.3_R) an authenticated user can bypass password checks while exporting data from the application.

Action-Not Available
Vendor-n/aZKTeco Co., Ltd.
Product-zkbio_cvsecurityn/azkbio_cvsecurity
CWE ID-CWE-269
Improper Privilege Management