← Zuruck zu CVEs
CVE-2016-20026
CRITICAL9.8
Beschreibung
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.
CVE Details
CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht3/16/2026
Zuletzt geandert3/16/2026
Quellenvd
Honeypot-Sichtungen0
Schwachen (CWE)
CWE-798
Referenzen
https://cxsecurity.com/issue/WLB-2016080266(disclosure@vulncheck.com)
https://exchange.xforce.ibmcloud.com/vulnerabilities/116484(disclosure@vulncheck.com)
https://packetstormsecurity.com/files/138567(disclosure@vulncheck.com)
https://www.exploit-db.com/exploits/40324/(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution(disclosure@vulncheck.com)
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php(disclosure@vulncheck.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.