CVE-2025-55279 MEDIUM

CVE-2025-55279: Hard-coded Private Key Vulnerability in ZKTeco WL20

Vendor Zkteco Co
Product WL20 Biometric Attendance System
Weakness CWE-798 · Hardcoded credentials
Published August 13, 2025
Last update August 13, 2025

CVSS base score

6.9/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

This vulnerability exists in ZKTeco WL20 due to hard-coded private key stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve private key stored in the firmware of the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform unauthorized decryption of sensitive data and Man-in-the-Middle (MitM) attacks on the targeted device.

Key dates

02Disclosure timeline

August 13, 2025 CVE published
August 13, 2025 Record updated