CVE-2025-45746

Published: May 13, 2025

Modified: May 21, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result in login access or data access in the context of the application software platform.

Vendor	Product	Versions
ZKTeco	ZKBio CVSecurity	affected `6.4.1_R - < 6.6.0_R`

Weaknesses (CWE)

CWE-321

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/mrojz/ZKT-Bio-CVSecurity/blob/main/CVE-2025-45746.md

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-45746

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References