ZKTeko BioTime v.8.5.4 contains an affected endpoint that discloses employees data (name, employment ID, photo, etc) which can be accessed without authentication and authorization checks.
An attacker might use the disclosed information to gain a greater understanding of the systems and the employees and potentially develop further attacks targeted at the organization e.g. the attacker might use the employees usernames and IDs to gain access to different employees-only systems. Also, The attacker can leak those information to the internet.
Vulnerability path: