Description
ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages.
Published: 2026-03-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

This vulnerability is a cross‑site request forgery that allows an attacker to create superadmin accounts on ZKTeco ZKBioSecurity 3.0 by exploiting missing authenticity checks. An authenticated user who visits a malicious page can trigger the creation of a new superadmin account without any validation, giving the attacker full administrative control over the system. The weakness is a classic CSRF (CWE‑352).

Affected Systems

The affected product is ZKTeco Inc.’s ZKBioSecurity 3.0. No additional product versions are listed, so any instance running this version is at risk.

Risk and Exploitability

The vulnerability scores a moderate CVSS of 5.3 and an EPSS of less than 1 %, indicating that overall exploitation is unlikely under normal circumstances. The attack vector is client‑side – an attacker must persuade an already‑authenticated user to visit a malicious site that sends crafted HTTP requests. It is not listed in the CISA KEV catalog, but the potential to add superadmin accounts poses a serious risk if exploited.

Generated by OpenCVE AI on March 21, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check ZKTeco’s website or security advisories for an available patch or update to address the CSRF issue.
  • Apply any vendor‑supplied patch or upgrade the affected system to a version that no longer allows unauthenticated superadmin creation.
  • If a patch is not yet released, restrict the use of superadmin accounts and limit administrative functions to trusted users.
  • Consider implementing generic web‑application firewall rules or CSRF mitigation techniques to block malicious requests from external sites.

Generated by OpenCVE AI on March 21, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zkteco
Zkteco zkbiosecurity
Vendors & Products Zkteco
Zkteco zkbiosecurity

Sun, 15 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages.
Title ZKTeco ZKBioSecurity 3.0 Cross-Site Request Forgery Superadmin
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Zkteco Zkbiosecurity
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:20:20.449Z

Reserved: 2026-03-15T12:36:51.756Z

Link: CVE-2016-20028

cve-icon Vulnrichment

Updated: 2026-03-16T14:17:50.315Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:17:49.333

Modified: 2026-03-16T14:53:46.157

Link: CVE-2016-20028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:48Z

Weaknesses