What happened

CISA added CVE-2023-38950 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-05-19, signaling confirmed in-the-wild exploitation of this flaw CISA KEV. The vulnerability affects ZKTeco BioTime and is a path traversal in the iclock API that allows an unauthenticated attacker to read arbitrary files via a crafted payload CISA KEV. The CVE entry ties the issue to ZKTeco BioTime and tags the underlying weakness as directory traversal (CWE-22) per federal scoring repositories NVD CVE-2023-38950. CISA’s entry sets a remediation due date of 2025-06-09 for U.S. FCEB agencies and directs organizations to apply vendor mitigations or discontinue use if mitigations are unavailable CISA KEV. MITRE maintains the canonical CVE record confirming the vulnerability registration and identifiers for coordination across tools MITRE CVE.

Why it matters

Path traversal (CWE-22) lets an attacker manipulate file paths to access resources outside the intended directory, directly threatening confidentiality of local files MITRE CWE-22. When the flaw is reachable without authentication, the exploitation barrier drops drastically and opportunistic scanning becomes viable at internet scale CISA KEV. KEV inclusion means exploitation has been observed by credible sources and that patching or mitigation is time-bound priority for regulated environments CISA KEV. Arbitrary file-read vulnerabilities routinely enable theft of application secrets and configuration data, which can fuel lateral movement or deeper compromise in adjacent systems MITRE CWE-22. The CVE/NVD record formally scopes the issue to ZKTeco BioTime, focusing remediation and detection efforts on that product line rather than blind guesswork NVD CVE-2023-38950.

Technical detail

Per CISA, ZKTeco BioTime’s iclock API improperly validates file path input, enabling a crafted payload to traverse directories and read arbitrary files CISA KEV. The condition maps to CWE-22 (Path Traversal), where attackers commonly inject sequences like "../" or absolute paths to escape the application’s intended file root MITRE CWE-22. The attack is unauthenticated, meaning the vulnerable code path is reachable without valid credentials and can be triggered by an external actor CISA KEV. The NVD entry anchors the vulnerability to CVE-2023-38950 and provides the standardized taxonomy for downstream tooling and risk workflows NVD CVE-2023-38950. The MITRE CVE record exists as the authoritative namespace, ensuring scanners and advisory feeds reference the same identifier when flagging BioTime deployments MITRE CVE.

Defense

CISA directs organizations to apply vendor mitigations for CVE-2023-38950 or discontinue use if no mitigations are available, with a due date of 2025-06-09 for FCEB agencies CISA KEV. Reduce exposure by removing direct internet access to the BioTime iclock interface and placing it behind authenticated access controls or an allowlist while patches are validated CISA KEV. Implement temporary request filtering for directory traversal patterns (for example, dot-dot-slash and encoded variants) at reverse proxies or WAFs while maintaining application functionality MITRE CWE-22. Monitor server and reverse-proxy logs for requests containing traversal sequences and anomalous file access patterns aligned to arbitrary file reads associated with path traversal weaknesses MITRE CWE-22. Ensure your vulnerability management pipeline ingests NVD data for CVE-2023-38950 so BioTime assets are discoverable and tracked to closure in change-control workflows NVD CVE-2023-38950. Treat any exploitation indicators as a potential confidentiality incident and follow KEV/BOD directives for prioritized remediation and validation CISA KEV.

Lyrie Verdict

This is a straightforward, unauthenticated file-read via path traversal on BioTime’s iclock API—perfect for automated mass scanning and smash-and-grab data theft CISA KEV. Lyrie instruments network and application telemetry to flag directory traversal patterns (../ and encoded variants) targeting suspected iclock endpoints and auto-elevates those flows to block/contain at machine speed before file disclosure completes MITRE CWE-22. Because KEV means active exploitation, Lyrie treats inbound requests matching traversal signatures to BioTime services as high-confidence malicious, isolating the asset, throttling the session, and alerting with CVE linkage for rapid operator confirmation CISA KEV. We map detections and response to the CVE identifier to ensure consistent triage across inventories and change tickets without waiting on human regex wrangling NVD CVE-2023-38950.