CVE-2016-20026 - Vulnerability Details

- ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution

Description

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.

Published: 2026-03-15

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the ZKTeco ZKBioSecurity 3.0 appliance arises from hard‑coded credentials embedded in the bundled Apache Tomcat server. These credentials grant unrestricted access to the Tomcat manager application, enabling an unauthenticated attacker to upload malicious WAR files containing JSP code. Once uploaded, the attacker can execute arbitrary code with SYSTEM privileges on the underlying operating system. This type of flaw, classified as CWE‑798, results in full compromise of confidentiality, integrity, and availability for systems running the affected firmware.

Affected Systems

Affected products include the ZKTeco ZKBioSecurity 3.0 biometric security appliance. No further version details are supplied by the CNA, so administrators should verify whether their deployed units match the 3.0 release or a later iteration that may contain the issue.

Risk and Exploitability

With a CVSS score of 9.3, the vulnerability presents a critical risk. The EPSS score is reported as below 1%, indicating a relatively low probability of exploitation in the wild, and the issue does not appear in the CISA KEV catalog. Based on the description, it is inferred that attackers can exploit this flaw remotely by connecting to the Tomcat manager interface from any network that can reach the appliance, using the hard‑coded credentials to gain access and upload malicious code.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ZKTeco Inc.

ZKTeco ZKBioSecurity

affected

Version	Status	Constraints
`3.0.1.0_R_230`	affected	—

No data.

Vendor Product Confidence Versions

Zkteco

Zkbiosecurity

95%

Version	Status	Scheme	Platform
`3.0.1.0_R_230`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a patched version of the ZKTeco ZKBioSecurity appliance that removes the hard‑coded credentials or applies any vendor‑issued firmware update; if no patch is available, replace the flawed tomcat-users.xml file with a secure configuration.
Remove or delete the default tomcat-users.xml entry that contains the exposed credentials, ensuring that no valid login remains.
Disable or uninstall the Apache Tomcat manager web application from the server, as it is not required for normal operation.
Restrict network access to the appliance’s management interface, for example by firewalling the required ports or requiring VPN or internal routing only.

Generated by OpenCVE AI on March 21, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://cxsecurity.com/issue/WLB-2016080266
https://exchange.xforce.ibmcloud.com/vulnerabilities/116484
https://packetstormsecurity.com/files/138567
https://www.exploit-db.com/exploits/40324/
https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php

History

Mon, 16 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zkteco Zkteco zkbiosecurity
Vendors & Products		Zkteco Zkteco zkbiosecurity

Sun, 15 Mar 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.
Title		ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution
Weaknesses		CWE-798
References		https://cxsecurity.com/issue/WLB-2016080266 https://exchange.xforce.ibmcloud.com/vulnerabilities/116484 https://packetstormsecurity.com/files/138567 https://www.exploit-db.com/exploits/40324/ https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Zkteco Zkbiosecurity

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-03-15T13:35:16.754Z

Updated: 2026-04-07T14:03:36.289Z

Reserved: 2026-03-15T12:36:32.692Z

Link: CVE-2016-20026

Vulnrichment

Updated: 2026-03-16T14:17:55.465Z

NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:17:48.777

Modified: 2026-03-16T14:53:46.157

Link: CVE-2016-20026

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T14:01:50Z

Weaknesses

CWE-798

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object