An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated malicious users to arbitrarily reset the Administrator password via a crafted web request.
zkteco biotime 8.5.5