Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.
AnalysisAI
ZKTeco ZKBioSecurity 3.0 contains a local authentication bypass vulnerability in visLogin.jsp that allows low-privileged attackers to authenticate without valid credentials by spoofing IPv6 loopback addresses and leveraging hardcoded credentials. An authenticated local attacker can access sensitive information and perform unauthorized actions; public exploits are available (Packet Storm Security, Exploit-DB), indicating moderate real-world risk despite the 5.5 CVSS score reflecting local-only attack vector.
Technical ContextAI
The vulnerability exists in the visLogin.jsp authentication handler of ZKTeco ZKBioSecurity (CPE: cpe:2.3:a:zkteco_inc.:zkteco_zkbiosecurity:*:*:*:*:*:*:*:*), specifically in the EnvironmentUtil.getClientIp() method. The root cause is CWE-798 (Use of Hard-Coded Credentials): the application implements a localhost-only authentication bypass using hardcoded password '123456' combined with the client IP address as username. The vulnerability exploits improper handling of IPv6 loopback notation (0:0:0:0:0:0:0:1) which should be equivalent to 127.0.0.1 but is handled inconsistently, allowing spoofing via IPv6 requests that bypass IP-based access controls. This is a classic implementation flaw where IP-based authentication combined with hardcoded credentials creates a trivial bypass path for any local user.
RemediationAI
Specific patch versions are not documented in provided references. Recommended actions: (1) Contact ZKTeco Inc. directly to determine if patches exist for version 3.0 or if upgrade to version 4.x or later is required; (2) If patching is unavailable, implement network-level mitigations: restrict local access to ZKBioSecurity systems via host-based firewall rules (ufw, iptables on Linux; Windows Firewall on Windows); (3) Disable or restrict access to visLogin.jsp endpoint if an alternative authentication method exists; (4) Monitor for exploitation attempts by logging authentication via IPv6 loopback (0:0:0:0:0:0:0:1) or username matching IP addresses; (5) Consider upgrading to a newer ZKTeco product version if available and supported; (6) If the application permits, change the hardcoded password '123456' via application configuration files (if modifiable), though this may require source code modification. Immediate action: segregate ZKBioSecurity systems from untrusted local users.
More in Zkteco Zkbiosecurity
View allUser enumeration vulnerability in ZKTeco ZKBioSecurity 3.0 that allows unauthenticated attackers to discover valid usern
ZKTeco ZKBioSecurity 3.0 contains a local file path manipulation vulnerability (CWE-276) that allows unauthenticated att
ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery (CSRF) vulnerability that allows authenticated attackers
Reflected cross-site scripting (XSS) vulnerability in ZKTeco ZKBioSecurity 3.0 that allows unauthenticated attackers to
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2016-10817