Is there a public PoC exploit available for CVE-2025-15128?

Yes, a public proof-of-concept exploit is available for CVE-2025-15128. Prioritise patching immediately. EPSS: 0.0%.

ZKTeco BioTime CVE-2025-15128

Q: What is the CVSS score of CVE-2025-15128?

CVE-2025-15128 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

MEDIUM

Credentials Management Errors (CWE-255)

2025-12-28 cna@vuldb.com

Authentication Bypass

5.5

CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

5.3 MEDIUM

Network-accessible endpoint requires no authentication (PR:N) and yields only partial credential disclosure (C:L); no integrity or availability impact is indicated.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 11, 2026 - 09:31 vuln.today

DescriptionCVE.org

A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of the component Endpoint. Performing a manipulation of the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 9.0.6 is able to mitigate this issue. It is recommended to upgrade the affected component. The vendor confirms: "The mainstream version ZKBioTime V9.0.6 has fixed this vulnerability. Please update to the latest version as soon as possible. For the Middle East version BioTime 9.5.X, you can contact the local technical support to obtain the fix package."

AnalysisAI

Unauthenticated remote access to ZKTeco BioTime's /base/safe_setting/ endpoint exposes stored credential material via manipulable backup_encryption_password_decrypt and export_encryption_password_decrypt parameters, affecting versions 9.0.3, 9.0.4, and 9.5.2. The CVSS 4.0 vector (PR:N/UI:N) and an 'Authentication Bypass' tag confirm no credentials or user interaction are required, enabling any network-reachable attacker to retrieve encryption passwords from the application. A public proof-of-concept exploit is available on GitHub, directly lowering the skill barrier for exploitation, though the vulnerability is not yet listed in CISA KEV.

Technical ContextAI

ZKTeco BioTime is a web-based biometric time-attendance and workforce management platform widely deployed in enterprise and government environments. The vulnerable component is the /base/safe_setting/ API endpoint, which handles backup and export encryption configuration. The root cause is CWE-255 (Credentials Management Errors): the endpoint accepts the arguments backup_encryption_password_decrypt and export_encryption_password_decrypt and returns or processes decrypted credential values without enforcing authentication. This is consistent with an IDOR (Insecure Direct Object Reference) pattern, as suggested by the GitHub POC repository name. The CVSS 4.0 base vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:L confirms the flaw is network-reachable, requires no special conditions or privileges, and results in partial confidentiality loss on the vulnerable system. No CPE identifiers were supplied in the source data.

Affected ProductsAI

ZKTeco BioTime versions up to and including 9.0.3, 9.0.4, and 9.5.2 are confirmed affected per the vendor security bulletin at https://www.zkteco.com/en/Security_Bulletinsibs/24. The mainstream BioTime product line is patched at version 9.0.6. The Middle East regional variant, marketed as BioTime 9.5.X, requires a separate fix package available through ZKTeco local technical support channels. No CPE strings were provided in the source data; affected version ranges are derived from VulDB submission 711813 and corroborated by the vendor's own advisory statement.

RemediationAI

The primary fix is to upgrade ZKTeco BioTime to version 9.0.6 or later, as confirmed by the vendor at https://www.zkteco.com/en/Security_Bulletinsibs/24. Operators running the Middle East variant (BioTime 9.5.X) must contact ZKTeco local technical support to obtain the dedicated regional fix package, as version 9.0.6 may not directly apply to that branch. As an interim compensating control before patching, restrict network access to the /base/safe_setting/ endpoint via firewall rules or reverse-proxy ACLs to trusted administrative IP ranges only - this directly blocks the unauthenticated attack vector but does not address the underlying flaw and must not substitute for patching. Additionally, rotate all backup encryption and export encryption passwords immediately, as any credentials retrievable through this endpoint should be considered compromised. Internet-facing BioTime deployments should be treated as highest priority.

CVE-2025-15128 vulnerability details – vuln.today

Back