CVE-2016-20026
9.8 CRITICALZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to acces...
Published: 2026-03-16 · Last updated: 2026-06-08
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-798
Description
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2016-20026
- [Other]https://cxsecurity.com/issue/WLB-2016080266
- [Other]https://exchange.xforce.ibmcloud.com/vulnerabilities/116484
- [Other]https://packetstormsecurity.com/files/138567
- [Other]https://www.exploit-db.com/exploits/40324/
- [Other]https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution
- [Other]https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php
Related CVEs
Same CWE
- CVE-2026-50083 — The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-... (9.1 CRITICAL)
- CVE-2026-10557 — The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices (9.8 CRITICAL)
- CVE-2026-11849 — The iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remo... (9.8 CRITICAL)
- CVE-2026-47281 — Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network (9.6 CRITICAL)
- CVE-2026-11414 — A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service