CVE-2025-15128 is a vulnerability identified in ZKTeco BioTime biometric attendance software versions 9.0.0 through 9.5.2. The issue lies within the /base/safe_setting/ directory of the endpoint component, where credentials related to backup encryption passwords are stored unprotected. Specifically, manipulation of the arguments backup_encryption_password_decrypt or export_encryption_password_decrypt allows an attacker to retrieve these credentials without any authentication or user interaction. This flaw enables remote attackers to access sensitive credential data, which could be leveraged to compromise the integrity and confidentiality of the biometric system. The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity, with an attack vector classified as network-based and no privileges or user interaction required. The vendor, ZKTeco, was contacted early but has not issued any response or patch, and no official remediation is currently available. A public exploit has been released, increasing the risk of exploitation. The vulnerability primarily affects organizations that rely on ZKTeco BioTime for attendance and access control, potentially exposing them to unauthorized access, data leakage, and further lateral movement within networks.

The impact of CVE-2025-15128 is significant for organizations using ZKTeco BioTime biometric systems. Successful exploitation can lead to the disclosure of backup encryption passwords, which are critical for protecting stored credentials and sensitive configuration data. Attackers gaining access to these credentials may bypass security controls, manipulate attendance records, or escalate privileges within the affected environment. This can result in unauthorized physical access, data integrity violations, and potential disruption of operational processes reliant on biometric authentication. Since the vulnerability can be exploited remotely without authentication, it broadens the attack surface and increases the likelihood of compromise. Organizations in sectors such as manufacturing, education, government, and corporate enterprises that deploy BioTime systems are particularly vulnerable. The lack of vendor response and patches prolongs exposure, increasing the window for attackers to exploit this flaw. Additionally, compromised credentials could facilitate further attacks on connected systems, amplifying the overall security risk.

To mitigate CVE-2025-15128, organizations should implement the following specific measures: 1) Immediately restrict network access to the BioTime endpoint, especially the /base/safe_setting/ path, by using firewalls, network segmentation, and access control lists to limit exposure to trusted administrators only. 2) Monitor network traffic and system logs for unusual access patterns or attempts to manipulate backup_encryption_password_decrypt or export_encryption_password_decrypt parameters. 3) Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics targeting this vulnerability or related exploit attempts. 4) Conduct regular audits of credential storage and encryption practices within the BioTime environment to identify and remediate insecure configurations. 5) Isolate the BioTime system from internet-facing networks to reduce remote exploitation risk. 6) Prepare incident response plans specifically addressing potential credential compromise scenarios. 7) Stay alert for any vendor updates or patches and apply them promptly once available. 8) Consider alternative biometric or attendance solutions if remediation is delayed or unavailable. These targeted actions go beyond generic advice by focusing on network-level protections, monitoring, and operational readiness tailored to this vulnerability's characteristics.