CVE-2025-55280 MEDIUM

CVE-2025-55280: Information Disclosure Vulnerability in ZKTeco WL20

Vendor Zkteco Co
Product WL20 Biometric Attendance System
Weakness CWE-312 · Cleartext storage
Published August 13, 2025
Last update August 13, 2025

CVSS base score

5.2/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

This vulnerability exists in ZKTeco WL20 due to storage of Wi-Fi credentials, configuration data and system data in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the plaintext sensitive data stored in the targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized network access, retrieve and manipulate data on the targeted device.

Key dates

02Disclosure timeline

August 13, 2025 CVE published
August 13, 2025 Record updated