CVE-2016-20026 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 16, 2026
ZKTeco ZKBioSecurity - Hardcoded Credentials
Published: March 16, 2026Updated: March 16, 2026Remote Exploitable
Overview
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server, letting unauthenticated attackers access the manager application and execute arbitrary code with SYSTEM privileges by uploading malicious WAR archives.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Unauthenticated attackers can execute arbitrary code with SYSTEM privileges, leading to full system compromise.
Mitigation
Update to the latest version or apply vendor patches to remove hardcoded credentials.
References
- https://cxsecurity.com/issue/WLB-2016080266
- https://exchange.xforce.ibmcloud.com/vulnerabilities/116484
- https://packetstormsecurity.com/files/138567
- https://www.exploit-db.com/exploits/40324/
- https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php
Related Resources
Details
- CVE ID
- CVE-2016-20026
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- hardcoded_credentials
- Status
- unconfirmed
CWE
- CWE-798
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H