ZKBioSecurity 3.0 hardcoded Tomcat credentials allow arbitrary code exec
CVE-2016-20026 Published on March 15, 2026
ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.
Vulnerability Analysis
CVE-2016-20026 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Affected Versions
ZKTeco Inc. ZKTeco ZKBioSecurity Version 3.0.1.0_R_230 is affected by CVE-2016-20026Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.