Which versions of Zkteco Zkbiosecurity are affected by CVE-2016-20028?

Organizations using ZKTeco ZKBioSecurity 3.0 should be aware of moderate risk from CVE-2016-20028, a cross-site request forgery vulnerability rated CVSS 4.3.

Is there a public PoC exploit available for CVE-2016-20028?

Yes, a public proof-of-concept exploit is available for CVE-2016-20028. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2016-20028?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify anti-CSRF tokens are enforced.

Zkteco Zkbiosecurity CVE-2016-20028

Q: What is the CVSS score of CVE-2016-20028?

CVE-2016-20028 has a CVSS 4.0 base score of 5.3 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2016-10811 MEDIUM

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-03-15 VulnCheck

CSRF Zkteco Zkbiosecurity

5.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

4.3 (MEDIUM) 5.3 (MEDIUM)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 14:00 euvd

EUVD-2016-10811

Analysis Generated

Mar 15, 2026 - 14:00 vuln.today

CVE Published

Mar 15, 2026 - 13:35 nvd

MEDIUM 4.3

DescriptionCVE.org

ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages.

AnalysisAI

ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery (CSRF) vulnerability that allows authenticated attackers to perform unauthorized administrative actions, specifically adding superadmin accounts without proper validation. An attacker can craft malicious HTTP requests that, when visited by a logged-in administrator, silently create new superadmin credentials, effectively granting the attacker persistent unauthorized administrative access. This vulnerability requires user interaction (a logged-in admin must visit an attacker-controlled page) but does not require elevated privileges to trigger, presenting a moderate but real risk to organizations using this biometric access control system.

Technical ContextAI

The vulnerability exploits the absence of CSRF tokens or similar anti-CSRF mechanisms in ZKTeco ZKBioSecurity 3.0's administrative account creation endpoints. When a web application fails to validate that state-changing requests (such as adding users) originate from legitimate, authenticated sessions rather than cross-origin requests, it becomes vulnerable to CSRF attacks as defined by CWE-352. ZKBioSecurity is a biometric access control and time-attendance management platform deployed in enterprise environments, typically running on internal networks or cloud infrastructure. The absence of validity checks on superadmin account creation suggests that the application trusts the browser context of authenticated users implicitly, allowing an attacker to forge requests that the browser will automatically include with valid session cookies when the user visits a malicious site. This is a classic CSRF weakness in web applications handling sensitive operations without proper request origin validation or cryptographic tokens.

RemediationAI

Upgrade ZKTeco ZKBioSecurity to the latest patched version provided by ZKTeco after confirming availability of security updates from the vendor. Until patching is possible, implement compensating controls: enforce HTTPS-only communication to all ZKBioSecurity administrative interfaces, restrict administrative access to trusted internal IP ranges via firewall rules, require VPN access for remote administration, and implement HSTS headers on the application. Conduct user awareness training to reduce the risk of administrators visiting untrusted websites while logged into administrative systems. Additionally, review and verify that ZKBioSecurity administrative endpoints implement proper CSRF token validation on all state-changing operations (POST/PUT/DELETE requests), and if not available in the current version, contact ZKTeco for patch timelines and interim guidance.

CVE-2016-20028 vulnerability details – vuln.today

Back