CVE-2025-54465 MEDIUM

CVE-2025-54465: Hard-coded Credentials Vulnerability in ZKTeco WL20

Vendor Zkteco Co
Product WL20 Biometric Attendance System
Weakness CWE-798 · Hardcoded credentials
Published August 13, 2025
Last update August 13, 2025

CVSS base score

6.8/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

This vulnerability exists in ZKTeco WL20 due to hard-coded MQTT credentials and endpoints stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve the hard-coded MQTT credentials and endpoints from the targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the MQTT broker and manipulate the communications of the targeted device.

Key dates

02Disclosure timeline

August 13, 2025 CVE published
August 13, 2025 Record updated