CVE-2025-45746

In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result in login access or data access in the context of the application software platform.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/mrojz/ZKT-Bio-CVSecurity/blob/main/CVE-2025-45746.md	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:zkteco:zkbio_cvsecurity:6.4.1_r:*:*:*:*:*:*:*

History

21 May 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-13 19:15

Updated : 2025-05-21 14:15

NVD link : CVE-2025-45746

Mitre link : CVE-2025-45746

CVE.ORG link : CVE-2025-45746

JSON object : View

Products Affected

zkteco

zkbio_cvsecurity

CWE

CWE-321

Use of Hard-coded Cryptographic Key

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2025-45746", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-05-13T19:15:51.593", "references": [{"url": "https://github.com/mrojz/ZKT-Bio-CVSecurity/blob/main/CVE-2025-45746.md", "tags": ["Exploit"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-321"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result in login access or data access in the context of the application software platform."}, {"lang": "es", "value": "En ZKT ZKBio CVSecurity 6.4.1_R, un atacante no autenticado puede manipular un token JWT utilizando el secreto codificado para autenticarse en la consola de servicio."}], "lastModified": "2025-05-21T14:15:31.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zkteco:zkbio_cvsecurity:6.4.1_r:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E346049E-4A50-4170-A7D5-93ED0C3B6DB5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}