Is CVE-2023-38952 actively exploited?

CVE-2023-38952 has no public evidence of in-the-wild exploitation as of 2025-05-27.

What is the CVSS score for CVE-2023-38952?

CVE-2023-38952 has a CVSS score of 7.5 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

How do I patch CVE-2023-38952?

Patch guidance is available from zkteco security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2023-38952.

Fix CVE-2023-38952 - HIGH zkteco biotime

Description

Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none
Weaknesses: CWE-552 CWE-552

Metadata

Primary Vendor: ZKTECO
Published: 8/3/2023
Last Modified: 5/27/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2023-38952

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary