CVE-2016-20026 CRITICAL

CVE-2016-20026: ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution

Vendor Zkteco Inc.
Product ZKTeco ZKBioSecurity
Weakness CWE-798 · Hardcoded credentials
Published March 15, 2026
Last update June 8, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.

Key dates

02Disclosure timeline

March 15, 2026 CVE published
June 8, 2026 Record updated