CVE-2025-45746 is a vulnerability identified in ZKTeco's ZKBio CVSecurity version 6.4.1_R, involving the use of a hard-coded cryptographic key (CWE-321). This flaw allows an unauthenticated attacker to craft a JSON Web Token (JWT) using the embedded secret key, thereby gaining unauthorized authentication to the service console. JWTs are commonly used for stateless authentication, and possession of a valid token can grant access to protected resources. In this case, the hard-coded secret key undermines the security of the JWT mechanism, as it enables token forgery without requiring valid credentials or user interaction. The vendor has downplayed the severity, citing that the service console is generally accessible only within a local area network (LAN) and that console access does not equate to login or data access within the broader application platform. However, the vulnerability's CVSS 3.1 base score is 6.5 (medium severity), reflecting its network exploitable nature (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited confidentiality and integrity impact (C:L/I:L/A:N). The absence of known exploits in the wild suggests it is not yet actively weaponized, but the presence of a hard-coded key is a critical security design flaw that could be leveraged in targeted attacks, especially in environments where the service console is exposed beyond the LAN or where network segmentation is weak. The vulnerability does not affect the main application login or data access directly but could serve as a foothold for lateral movement or further exploitation if combined with other weaknesses.

For European organizations using ZKTeco ZKBio CVSecurity 6.4.1_R, this vulnerability poses a moderate risk. If the service console is accessible beyond tightly controlled internal networks—such as through misconfigured VPNs, remote access solutions, or insufficient network segmentation—attackers could authenticate to the console without credentials. Although direct access to user data or application login is not granted, unauthorized console access could allow attackers to alter configurations, disrupt security monitoring, or facilitate further attacks within the environment. This risk is heightened in sectors with stringent security requirements, such as government, critical infrastructure, and large enterprises, where physical access controls may be complemented by network-based protections. The vulnerability could undermine trust in physical security systems managed by ZKBio CVSecurity, potentially impacting access control and surveillance operations. Additionally, the presence of a hard-coded key indicates poor cryptographic hygiene, which may reflect broader security weaknesses in the product or deployment environment.

European organizations should immediately assess their deployment of ZKBio CVSecurity 6.4.1_R to determine if the service console is accessible beyond the local area network. Network segmentation should be enforced to restrict console access strictly to trusted internal hosts. Where possible, implement firewall rules or access control lists (ACLs) to block unauthorized network traffic to the console port. Organizations should monitor network logs for suspicious JWT authentication attempts and anomalous console access. Since no patch is currently available, consider disabling or restricting the service console if it is not essential. Engage with ZKTeco for updates or patches addressing this vulnerability. Additionally, review and harden cryptographic key management practices across all security products to prevent similar issues. Employ network intrusion detection systems (NIDS) to detect exploitation attempts and conduct regular security audits of physical security management systems. Finally, consider multi-factor authentication (MFA) or additional authentication layers if supported by the product to mitigate risks from token forgery.