Skip to main content

CVE-2016-20031

| EUVD-2016-10817 MEDIUM
Use of Hard-coded Credentials (CWE-798)
2026-03-15 VulnCheck
Authentication Bypass
6.8
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 15, 2026 - 15:22 NVD
5.5 (MEDIUM) 6.8 (MEDIUM)
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 14:00 euvd
EUVD-2016-10817
Analysis Generated
Mar 15, 2026 - 14:00 vuln.today
CVE Published
Mar 15, 2026 - 13:35 nvd
MEDIUM 5.5

DescriptionNVD

ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.

AnalysisAI

ZKTeco ZKBioSecurity 3.0 contains a local authentication bypass vulnerability in visLogin.jsp that allows low-privileged attackers to authenticate without valid credentials by spoofing IPv6 loopback addresses and leveraging hardcoded credentials. An authenticated local attacker can access sensitive information and perform unauthorized actions; public exploits are available (Packet Storm Security, Exploit-DB), indicating moderate real-world risk despite the 5.5 CVSS score reflecting local-only attack vector.

Technical ContextAI

The vulnerability exists in the visLogin.jsp authentication handler of ZKTeco ZKBioSecurity (CPE: cpe:2.3:a:zkteco_inc.:zkteco_zkbiosecurity:*:*:*:*:*:*:*:*), specifically in the EnvironmentUtil.getClientIp() method. The root cause is CWE-798 (Use of Hard-Coded Credentials): the application implements a localhost-only authentication bypass using hardcoded password '123456' combined with the client IP address as username. The vulnerability exploits improper handling of IPv6 loopback notation (0:0:0:0:0:0:0:1) which should be equivalent to 127.0.0.1 but is handled inconsistently, allowing spoofing via IPv6 requests that bypass IP-based access controls. This is a classic implementation flaw where IP-based authentication combined with hardcoded credentials creates a trivial bypass path for any local user.

RemediationAI

Specific patch versions are not documented in provided references. Recommended actions: (1) Contact ZKTeco Inc. directly to determine if patches exist for version 3.0 or if upgrade to version 4.x or later is required; (2) If patching is unavailable, implement network-level mitigations: restrict local access to ZKBioSecurity systems via host-based firewall rules (ufw, iptables on Linux; Windows Firewall on Windows); (3) Disable or restrict access to visLogin.jsp endpoint if an alternative authentication method exists; (4) Monitor for exploitation attempts by logging authentication via IPv6 loopback (0:0:0:0:0:0:0:1) or username matching IP addresses; (5) Consider upgrading to a newer ZKTeco product version if available and supported; (6) If the application permits, change the hardcoded password '123456' via application configuration files (if modifiable), though this may require source code modification. Immediate action: segregate ZKBioSecurity systems from untrusted local users.

Share

CVE-2016-20031 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy