CVE-2025-54464 HIGH

CVE-2025-54464: Cleartext Storage Vulnerability in ZKTeco WL20

Vendor Zkteco Co
Product WL20 Biometric Attendance System
Weakness CWE-312 · Cleartext storage
Published August 13, 2025
Last update August 13, 2025

CVSS base score

7.0/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

This vulnerability exists in ZKTeco WL20 due to storage of admin and user credentials without encryption in the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the unencrypted credentials stored in the firmware of targeted device.

Key dates

02Disclosure timeline

August 13, 2025 CVE published
August 13, 2025 Record updated