CVE-2016-20026

Sažetak

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.

Reference

https://cxsecurity.com/issue/WLB-2016080266
https://exchange.xforce.ibmcloud.com/vulnerabilities/116484
https://packetstormsecurity.com/files/138567
https://www.exploit-db.com/exploits/40324/
https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php

CVSS

Base:	9.8
Impact:	5.9
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

16-03-2026 - 14:53

Objavljeno

16-03-2026 - 14:17