PatchSiren cyber security CVE debrief

CVE-2023-7103 ZKSoftware Biometric Security Solutions CVE debrief

Critical authentication bypass vulnerability in ZKSoftware UFace 5 biometric security devices allows unauthenticated remote attackers to bypass authentication mechanisms. The vulnerability, classified as Authentication Bypass by Primary Weakness (CWE-305), affects all versions through 12022024. Published March 5, 2024, with NVD record modified May 20, 2026. No known exploitation in ransomware campaigns per available sources. Organizations should prioritize patching or network segmentation for affected biometric access control systems.

Vendor: ZKSoftware Biometric Security Solutions
Product: UFace 5
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-03-05
Original CVE updated: 2026-05-20
Advisory published: 2024-03-05
Advisory updated: 2026-05-20

Who should care

Physical security teams, facility managers, identity and access management administrators, critical infrastructure operators, and organizations deploying biometric authentication for high-security environments

Technical summary

ZKSoftware UFace 5 biometric security devices contain an Authentication Bypass by Primary Weakness vulnerability (CWE-305) that permits unauthenticated attackers to bypass authentication mechanisms. The vulnerability is remotely exploitable over network protocols with low attack complexity, requiring no user interaction or privileges. Affected versions include all releases through firmware version 12022024. The CVSS 3.1 score of 9.8 reflects complete compromise of confidentiality, integrity, and availability. Biometric access control systems typically manage physical security perimeters; successful exploitation could enable unauthorized facility access, privilege escalation within security infrastructure, or lateral movement through compromised credential databases.

Defensive priority

critical

Recommended defensive actions

Identify all ZKSoftware UFace 5 deployments within environment and inventory firmware versions
Apply vendor firmware updates beyond version 12022024 if available, or contact ZKSoftware for patch status
Implement network segmentation to restrict UFace 5 device access to authorized administrative hosts only
Monitor authentication logs for anomalous access patterns or unauthorized administrative sessions
Consider temporary disablement of remote administrative interfaces until patching is completed
Review access control policies for biometric systems as compensating control during remediation window

Evidence notes

Vulnerability confirmed through official USOM advisory with third-party advisory classification. CPE criteria specifies affected product as ZKSoftware UFace 5 through version 12022024. CVSS 3.1 vector confirms network attack vector with low complexity and no privileges required.

Official resources

CVE-2023-7103 CVE record
CVE.org
CVE-2023-7103 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory

Disclosed 2024-03-05 via Turkish National Cyber Security Incident Response Team (USOM) advisory TR-24-0173. NVD record subsequently modified 2026-05-20.