{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2016-20026", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-15T12:36:32.692Z", "datePublished": "2026-03-15T13:35:16.754Z", "dateUpdated": "2026-06-08T15:11:27.794Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-08T15:11:27.794Z"}, "title": "ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution", "descriptions": [{"lang": "en", "value": "ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use of Hard-coded Credentials", "cweId": "CWE-798", "type": "CWE"}]}], "affected": [{"vendor": "ZKTeco Inc.", "product": "ZKTeco ZKBioSecurity", "versions": [{"version": "3.0.1.0_R_230", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php", "name": "Zero Science Lab Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://cxsecurity.com/issue/WLB-2016080266", "name": "CXSecurity", "tags": ["third-party-advisory"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/116484", "name": "IBM X-Force Exchange", "tags": ["vdb-entry"]}, {"url": "https://packetstormsecurity.com/files/138567", "name": "Packet Storm Security", "tags": ["exploit"]}, {"url": "https://www.exploit-db.com/exploits/40324/", "name": "Reference", "tags": ["exploit"]}, {"name": "VulnCheck Advisory: ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution"}], "credits": [{"lang": "en", "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab", "type": "finder"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2016-08-31T00:00:00.000Z", "solutions": [{"lang": "en", "value": "The affected software ZKBioSecurity and ZKAccess have been officially discontinued. It is recommended that users switch to using ZKBio CVSecurity software. ZKBio CVSecurity has fixed these vulnerabilities. It is recommended that customers use the latest version of ZKBio CVSecurity to eliminate risks."}], "tags": ["unsupported-when-assigned"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2016-20026", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T14:15:30.366324Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:20:20.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2016-20026", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T14:15:30.366324Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:17:55.465Z"}}], "cna": {"title": "ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution", "credits": [{"lang": "en", "type": "finder", "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ZKTeco Inc.", "product": "ZKTeco ZKBioSecurity", "versions": [{"status": "affected", "version": "3.0.1.0_R_230"}]}], "datePublic": "2016-08-31T00:00:00.000Z", "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php", "name": "Zero Science Lab Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://cxsecurity.com/issue/WLB-2016080266", "name": "CXSecurity", "tags": ["third-party-advisory"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/116484", "name": "IBM X-Force Exchange", "tags": ["vdb-entry"]}, {"url": "https://packetstormsecurity.com/files/138567", "name": "Packet Storm Security", "tags": ["exploit"]}, {"url": "https://www.exploit-db.com/exploits/40324/", "name": "Reference", "tags": ["exploit"]}, {"url": "https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution", "name": "VulnCheck Advisory: ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T14:03:36.289Z"}}}, "cveMetadata": {"cveId": "CVE-2016-20026", "state": "PUBLISHED", "dateUpdated": "2026-04-07T14:03:36.289Z", "dateReserved": "2026-03-15T12:36:32.692Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-15T13:35:16.754Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "disclosure@vulncheck.com", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges."}, {"lang": "es", "value": "ZKTeco ZKBioSecurity 3.0 contiene credenciales codificadas en el servidor Apache Tomcat incluido que permiten a atacantes no autenticados acceder a la aplicaci\u00f3n de gesti\u00f3n. Los atacantes pueden autenticarse con credenciales codificadas almacenadas en tomcat-users.xml para cargar archivos WAR maliciosos que contienen aplicaciones JSP y ejecutar c\u00f3digo arbitrario con privilegios de SISTEMA."}], "id": "CVE-2016-20026", "lastModified": "2026-06-08T16:16:32.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-16T14:17:48.777", "references": [{"source": "disclosure@vulncheck.com", "url": "https://cxsecurity.com/issue/WLB-2016080266"}, {"source": "disclosure@vulncheck.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/116484"}, {"source": "disclosure@vulncheck.com", "url": "https://packetstormsecurity.com/files/138567"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/40324/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution"}, {"source": "disclosure@vulncheck.com", "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.0.1.0_R_230"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "zkbiosecurity", "vendor": "zkteco"}], "analysis": {"en": {"generated_at": "2026-03-21T14:39:07.644803+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched version of the ZKTeco ZKBioSecurity appliance that removes the hard\u2011coded credentials or applies any vendor\u2011issued firmware update; if no patch is available, replace the flawed tomcat-users.xml file with a secure configuration.", "Remove or delete the default tomcat-users.xml entry that contains the exposed credentials, ensuring that no valid login remains.", "Disable or uninstall the Apache Tomcat manager web application from the server, as it is not required for normal operation.", "Restrict network access to the appliance\u2019s management interface, for example by firewalling the required ports or requiring VPN or internal routing only."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected products include the ZKTeco ZKBioSecurity 3.0 biometric security appliance. No further version details are supplied by the CNA, so administrators should verify whether their deployed units match the 3.0 release or a later iteration that may contain the issue.", "description_and_impact": "The vulnerability in the ZKTeco ZKBioSecurity 3.0 appliance arises from hard\u2011coded credentials embedded in the bundled Apache Tomcat server. These credentials grant unrestricted access to the Tomcat manager application, enabling an unauthenticated attacker to upload malicious WAR files containing JSP code. Once uploaded, the attacker can execute arbitrary code with SYSTEM privileges on the underlying operating system. This type of flaw, classified as CWE\u2011798, results in full compromise of confidentiality, integrity, and availability for systems running the affected firmware.", "risk_and_exploitability": "With a CVSS score of 9.3, the vulnerability presents a critical risk. The EPSS score is reported as below 1%, indicating a relatively low probability of exploitation in the wild, and the issue does not appear in the CISA KEV catalog. Based on the description, it is inferred that attackers can exploit this flaw remotely by connecting to the Tomcat manager interface from any network that can reach the appliance, using the hard\u2011coded credentials to gain access and upload malicious code."}}}}, "created": "2026-03-16T09:21:48.003756+00:00", "updated": "2026-03-23T14:01:50.115370+00:00", "vendors": ["zkteco", "zkteco$PRODUCT$zkbiosecurity"]}