Which versions of Tomcat are affected by EUVD-2016-10807?

ZKTeco ZKBioSecurity 3.0 systems contain hardcoded administrative credentials that allow attackers to bypass authentication and execute malicious code with full system privileges.

Is there a public PoC exploit available for EUVD-2016-10807?

Yes, a public proof-of-concept exploit is available for EUVD-2016-10807. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2016-10807?

Within 24 hours: Inventory all ZKTeco ZKBioSecurity 3.0 deployments and isolate affected systems from production networks if possible; disable remote access to the Tomcat manager interface. Within 7 days: Contact ZKTeco for patch availability and interim guidance; implement network-based access controls restricting manager application access to authorized personnel only from specific IPs. Within 30 days: Migrate to patched version immediately upon vendor release; conduct forensic analysis of affected systems for evidence of compromise.

Tomcat EUVD-2016-10807

Q: What is the CVSS score of EUVD-2016-10807?

EUVD-2016-10807 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2016-20026 CRITICAL

Use of Hard-coded Credentials (CWE-798)

2026-03-15 VulnCheck

Authentication Bypass RCE Apache Tomcat

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

9.8 (CRITICAL) 9.3 (CRITICAL)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 14:00 euvd

EUVD-2016-10807

Analysis Generated

Mar 15, 2026 - 14:00 vuln.today

CVE Published

Mar 15, 2026 - 13:35 nvd

CRITICAL 9.8

DescriptionNVD

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.

AnalysisAI

Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software.

Technical ContextAI

The vulnerability stems from hardcoded credentials in the tomcat-users.xml configuration file of the bundled Apache Tomcat server within ZKTeco ZKBioSecurity (CPE: cpe:2.3:a:zkteco_inc.:zkteco_zkbiosecurity:*:*:*:*:*:*:*:*). This is a classic CWE-798 (Use of Hard-coded Credentials) issue where default credentials are embedded in the application distribution. The affected version 3.0.1.0_R_230 includes a Tomcat manager application accessible with these static credentials, allowing attackers to deploy arbitrary Java web applications (WAR files) containing malicious JSP code.

RemediationAI

No specific patch information is available in the provided references. Immediate actions include: 1) Disable or restrict network access to the Tomcat manager application, 2) Change the default credentials in tomcat-users.xml if possible, 3) Consider upgrading to a newer version of ZKBioSecurity if available, 4) Implement network segmentation to limit exposure of the management interface. Contact ZKTeco for vendor-specific patches or updates. The VulnCheck advisory (https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution) may contain additional remediation details.