{"api_version":"1","generated_at":"2026-06-08T18:26:57+00:00","cve":"CVE-2016-20026","urls":{"html":"https://cve.report/CVE-2016-20026","api":"https://cve.report/api/cve/CVE-2016-20026.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-20026","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-20026"},"summary":{"title":"ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution","description":"ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.","state":"PUBLISHED","assigner":"VulnCheck","published_at":"2026-03-16 14:17:48","updated_at":"2026-06-08 16:16:32"},"problem_types":["CWE-798","CWE-798 Use of Hard-coded Credentials"],"metrics":[{"version":"4.0","source":"disclosure@vulncheck.com","type":"Secondary","score":"9.3","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"9.3","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.3,"baseSeverity":"CRITICAL","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"}},{"version":"3.1","source":"disclosure@vulncheck.com","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://packetstormsecurity.com/files/138567","name":"https://packetstormsecurity.com/files/138567","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php","name":"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution","name":"https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/116484","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/116484","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cxsecurity.com/issue/WLB-2016080266","name":"https://cxsecurity.com/issue/WLB-2016080266","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.exploit-db.com/exploits/40324/","name":"https://www.exploit-db.com/exploits/40324/","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-20026","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-20026","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"ZKTeco Inc.","product":"ZKTeco ZKBioSecurity","version":"affected 3.0.1.0_R_230","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"The affected software ZKBioSecurity and ZKAccess have been officially discontinued. It is recommended that users switch to using ZKBio CVSecurity software. ZKBio CVSecurity has fixed these vulnerabilities. It is recommended that customers use the latest version of ZKBio CVSecurity to eliminate risks.","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"LiquidWorm as Gjoko Krstic of Zero Science Lab","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2016-20026","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-03-16T14:15:30.366324Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-16T14:20:20.775Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"ZKTeco ZKBioSecurity","vendor":"ZKTeco Inc.","versions":[{"status":"affected","version":"3.0.1.0_R_230"}]}],"credits":[{"lang":"en","type":"finder","value":"LiquidWorm as Gjoko Krstic of Zero Science Lab"}],"datePublic":"2016-08-31T00:00:00.000Z","descriptions":[{"lang":"en","value":"ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.3,"baseSeverity":"CRITICAL","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-798","description":"Use of Hard-coded Credentials","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-08T15:11:27.794Z","orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck"},"references":[{"name":"Zero Science Lab Disclosure","tags":["third-party-advisory"],"url":"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php"},{"name":"CXSecurity","tags":["third-party-advisory"],"url":"https://cxsecurity.com/issue/WLB-2016080266"},{"name":"IBM X-Force Exchange","tags":["vdb-entry"],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/116484"},{"name":"Packet Storm Security","tags":["exploit"],"url":"https://packetstormsecurity.com/files/138567"},{"name":"Reference","tags":["exploit"],"url":"https://www.exploit-db.com/exploits/40324/"},{"name":"VulnCheck Advisory: ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution"}],"solutions":[{"lang":"en","value":"The affected software ZKBioSecurity and ZKAccess have been officially discontinued. It is recommended that users switch to using ZKBio CVSecurity software. ZKBio CVSecurity has fixed these vulnerabilities. It is recommended that customers use the latest version of ZKBio CVSecurity to eliminate risks."}],"tags":["unsupported-when-assigned"],"title":"ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution","x_generator":{"engine":"vulncheck"}}},"cveMetadata":{"assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","assignerShortName":"VulnCheck","cveId":"CVE-2016-20026","datePublished":"2026-03-15T13:35:16.754Z","dateReserved":"2026-03-15T12:36:32.692Z","dateUpdated":"2026-06-08T15:11:27.794Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-16 14:17:48","lastModifiedDate":"2026-06-08 16:16:32","problem_types":["CWE-798","CWE-798 Use of Hard-coded Credentials"],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"20026","Ordinal":"1","Title":"ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execu","CVE":"CVE-2016-20026","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"20026","Ordinal":"1","NoteData":"ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.","Type":"Description","Title":"ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execu"}]}}}