CVE-2016-20026

| EUVD-2016-10807 CRITICAL
2026-03-15 VulnCheck
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 14:00 euvd
EUVD-2016-10807
Analysis Generated
Mar 15, 2026 - 14:00 vuln.today
CVE Published
Mar 15, 2026 - 13:35 nvd
CRITICAL 9.8

Tags

RCE Tomcat Apache Authentication Bypass Zkteco Zkbiosecurity

Description

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.

Analysis

Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software.

Technical Context

The vulnerability stems from hardcoded credentials in the tomcat-users.xml configuration file of the bundled Apache Tomcat server within ZKTeco ZKBioSecurity (CPE: cpe:2.3:a:zkteco_inc.:zkteco_zkbiosecurity:*:*:*:*:*:*:*:*). This is a classic CWE-798 (Use of Hard-coded Credentials) issue where default credentials are embedded in the application distribution. The affected version 3.0.1.0_R_230 includes a Tomcat manager application accessible with these static credentials, allowing attackers to deploy arbitrary Java web applications (WAR files) containing malicious JSP code.

Affected Products

ZKTeco ZKBioSecurity version 3.0 (specifically 3.0.1.0_R_230 per ENISA EUVD-2016-10807). This is a biometric security management platform used for access control and time attendance systems. The vulnerability affects the bundled Apache Tomcat server component within these installations.

Remediation

No specific patch information is available in the provided references. Immediate actions include: 1) Disable or restrict network access to the Tomcat manager application, 2) Change the default credentials in tomcat-users.xml if possible, 3) Consider upgrading to a newer version of ZKBioSecurity if available, 4) Implement network segmentation to limit exposure of the management interface. Contact ZKTeco for vendor-specific patches or updates. The VulnCheck advisory (https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution) may contain additional remediation details.

Priority Score

69
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: +20

Share

CVE-2016-20026 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy