Skip to main content

CVE-2016-20029

| EUVD-2016-10813 MEDIUM
Incorrect Default Permissions (CWE-276)
2026-03-15 VulnCheck
Privilege Escalation
6.9
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 15, 2026 - 15:22 NVD
6.2 (MEDIUM) 6.9 (MEDIUM)
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 14:00 euvd
EUVD-2016-10813
Analysis Generated
Mar 15, 2026 - 14:00 vuln.today
CVE Published
Mar 15, 2026 - 13:35 nvd
MEDIUM 6.2

DescriptionNVD

ZKTeco ZKBioSecurity 3.0 contains a file path manipulation vulnerability that allows attackers to access arbitrary files by modifying file paths used to retrieve local resources. Attackers can manipulate path parameters to bypass access controls and retrieve sensitive information including configuration files, source code, and protected application resources.

AnalysisAI

ZKTeco ZKBioSecurity 3.0 contains a local file path manipulation vulnerability (CWE-276) that allows unauthenticated attackers to bypass access controls and read arbitrary files including configuration files, source code, and application resources. A publicly available proof-of-concept exists, and the vulnerability has moderate real-world risk due to its local attack vector requirement but high confidentiality impact on sensitive biometric system data.

Technical ContextAI

The vulnerability exploits improper file access control in ZKBioSecurity 3.0 (CPE: cpe:2.3:a:zkteco_inc.:zkteco_zkbiosecurity:*:*:*:*:*:*:*:*), a biometric security management system. The root cause falls under CWE-276 (Incorrect Default File Permissions), indicating the application fails to properly restrict file path operations when retrieving local resources. Attackers manipulate path parameters (likely directory traversal or symbolic link attacks) to access files outside intended directories. The vulnerability specifically targets the file retrieval mechanism that loads local application resources, suggesting improper input validation on file path parameters without adequate canonicalization or sandboxing.

RemediationAI

Specific patch versions are not explicitly provided in available references. Recommended actions: (1) Contact ZKTeco directly for security patches or workarounds for ZKBioSecurity 3.0; (2) Implement operating system-level file access controls restricting application process permissions to only required directories; (3) Disable or restrict local access to affected ZKBioSecurity systems to only trusted administrators; (4) Monitor file access patterns for suspicious path traversal attempts; (5) Upgrade to a patched version if available from ZKTeco; (6) Review https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-file-path-manipulation-vulnerability and vendor security bulletins for patch availability and official remediation guidance.

Share

CVE-2016-20029 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy