ZKTeco ZKBioSecurity 3.0 Local Auth Bypass via visLogin.jsp
CVE-2016-20031 Published on March 15, 2026
ZKTeco ZKBioSecurity 3.0 Local Authorization Bypass via visLogin.jsp
ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.
Vulnerability Analysis
CVE-2016-20031 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2016-20031. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Affected Versions
ZKTeco Inc. ZKTeco ZKBioSecurity Version 3.0.1.0_R_230 is affected by CVE-2016-20031Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.