CVE-2016-20025 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 16, 2026
ZKTeco ZKAccess Professional - Broken Access Control
Published: March 16, 2026Updated: March 16, 2026Remote Exploitable
Overview
ZKTeco ZKAccess Professional 3.5.3 contains a broken access control vulnerability caused by insecure file permissions allowing authenticated users to modify executable files, letting attackers escalate privileges by replacing binaries.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated attackers can escalate privileges by replacing executable files with malicious code, potentially gaining full system control.
Mitigation
Update to the latest version with corrected file permissions or apply security patches to restrict Modify permissions.
References
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5361.php
- https://cxsecurity.com/issue/WLB-2016080265
- https://exchange.xforce.ibmcloud.com/vulnerabilities/116486
- https://packetstormsecurity.com/files/138566
- https://www.exploit-db.com/exploits/40323/
- https://www.vulncheck.com/advisories/zkteco-zkaccess-professional-privilege-escalation-via-insecure-permissions
Related Resources
Details
- CVE ID
- CVE-2016-20025
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_access_control
- Status
- unconfirmed
CWE
- CWE-552
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H