ByteOS Network

CVE Vulnerability Details :

CVE-2016-20031

PUBLISHED

More Info Official Page

Assigner-VulnCheck

Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10

Published At-15 Mar, 2026 | 13:35

Updated At-16 Mar, 2026 | 14:20

▼CVE Numbering Authority (CNA)

ZKTeco ZKBioSecurity 3.0 Local Authorization Bypass via visLogin.jsp

ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.

Affected Products

Vendor

ZKTeco Inc.

Product

ZKTeco ZKBioSecurity

Versions

Affected

3.0.1.0_R_230

Problem Types

Type	CWE ID	Description
CWE	CWE-798	Use of Hard-coded Credentials

Type: CWE

CWE ID: CWE-798

Description: Use of Hard-coded Credentials

Metrics

Version	Base score	Base severity	Vector
4.0	6.8	MEDIUM	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3.1	5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Version: 4.0

Base score: 6.8

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Version: 3.1

Base score: 5.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Credits

finder

LiquidWorm as Gjoko Krstic of Zero Science Lab

References

Hyperlink	Resource
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php	third-party-advisory
https://cxsecurity.com/issue/WLB-2016090003	third-party-advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/116488	vdb-entry
https://packetstormsecurity.com/files/138571	exploit
https://www.exploit-db.com/exploits/40327/	exploit
https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-local-authorization-bypass-via-vislogin-jsp	third-party-advisory

Hyperlink: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php

Resource:

third-party-advisory

Hyperlink: https://cxsecurity.com/issue/WLB-2016090003

Resource:

third-party-advisory

Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/116488

Resource:

vdb-entry

Hyperlink: https://packetstormsecurity.com/files/138571

Resource:

exploit

Hyperlink: https://www.exploit-db.com/exploits/40327/

Resource:

exploit

Hyperlink: https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-local-authorization-bypass-via-vislogin-jsp

Resource:

third-party-advisory

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References