CVE-2025-15128 is a vulnerability identified in the ZKTeco BioTime biometric attendance and access control software, affecting versions 9.0.0 through 9.5.2. The issue lies within the /base/safe_setting/ directory of the endpoint component, specifically involving the manipulation of the parameters backup_encryption_password_decrypt and export_encryption_password_decrypt. These parameters control the encryption and decryption of backup passwords, but due to improper handling, credentials are stored unprotected, exposing them to unauthorized retrieval. The vulnerability can be exploited remotely without requiring authentication or user interaction, making it highly accessible to attackers with network access to the device. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and low impact on confidentiality (VC:L) with no impact on integrity or availability. Despite the medium severity rating, the presence of a public exploit increases the risk of exploitation in the wild. The vendor has not responded or issued patches, leaving organizations reliant on mitigation strategies. The exposure of credentials could allow attackers to gain unauthorized access to the BioTime system, potentially manipulating attendance records or bypassing physical access controls. The vulnerability highlights a critical failure in secure credential storage and encryption practices within the affected software versions.

For European organizations, the impact of CVE-2025-15128 can be significant, particularly for those relying on ZKTeco BioTime for workforce attendance tracking and physical access control. Unauthorized access to stored credentials could enable attackers to impersonate legitimate users, manipulate attendance data, or gain physical entry to restricted areas, undermining operational security and compliance with data protection regulations such as GDPR. The breach of biometric system credentials may also lead to broader network compromise if these credentials are reused or linked to other systems. Industries with stringent security requirements, including government agencies, healthcare, finance, and critical infrastructure, are especially vulnerable. Additionally, the lack of vendor response and patches increases the window of exposure, raising the likelihood of exploitation attempts. The public availability of an exploit further escalates the threat, potentially leading to targeted attacks or widespread scanning and exploitation campaigns across Europe.

1. Immediately isolate ZKTeco BioTime devices from untrusted networks and restrict access to trusted administrators only, using network segmentation and firewall rules. 2. Monitor network traffic to and from BioTime endpoints for unusual activity, especially attempts to manipulate backup_encryption_password_decrypt or export_encryption_password_decrypt parameters. 3. Implement strict access controls and multi-factor authentication on management interfaces to reduce the risk of unauthorized access. 4. Regularly audit and review credential storage practices and consider deploying additional encryption layers or hardware security modules (HSMs) to protect sensitive data. 5. Maintain up-to-date backups of configuration and attendance data to enable recovery in case of compromise. 6. Engage with ZKTeco for updates or patches and subscribe to vulnerability advisories for timely information. 7. Consider temporary replacement or supplementation of BioTime with alternative attendance or access control solutions until a secure version is available. 8. Educate staff on the risks and signs of exploitation attempts to enhance detection and response capabilities.