Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2016-20026
PUBLISHED
More InfoOfficial Page
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
View Known Exploited Vulnerability (KEV) details
Published At-15 Mar, 2026 | 13:35
Updated At-08 Jun, 2026 | 15:11
Rejected At-
▼CVE Numbering Authority (CNA)
ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.

Affected Products
Vendor
ZKTeco Inc.
Product
ZKTeco ZKBioSecurity
Versions
Affected
  • 3.0.1.0_R_230
Problem Types
TypeCWE IDDescription
CWECWE-798Use of Hard-coded Credentials
Type: CWE
CWE ID: CWE-798
Description: Use of Hard-coded Credentials
Metrics
VersionBase scoreBase severityVector
4.09.3CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 4.0
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

The affected software ZKBioSecurity and ZKAccess have been officially discontinued. It is recommended that users switch to using ZKBio CVSecurity software. ZKBio CVSecurity has fixed these vulnerabilities. It is recommended that customers use the latest version of ZKBio CVSecurity to eliminate risks.

Configurations
Workarounds
Exploits
Credits
finder
LiquidWorm as Gjoko Krstic of Zero Science Lab
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php
third-party-advisory
https://cxsecurity.com/issue/WLB-2016080266
third-party-advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/116484
vdb-entry
https://packetstormsecurity.com/files/138567
exploit
https://www.exploit-db.com/exploits/40324/
exploit
https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution
third-party-advisory
Hyperlink: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php
Resource:
third-party-advisory
Hyperlink: https://cxsecurity.com/issue/WLB-2016080266
Resource:
third-party-advisory
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/116484
Resource:
vdb-entry
Hyperlink: https://packetstormsecurity.com/files/138567
Resource:
exploit
Hyperlink: https://www.exploit-db.com/exploits/40324/
Resource:
exploit
Hyperlink: https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found