Vulnerability Description
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://cxsecurity.com/issue/WLB-2016080266
- https://exchange.xforce.ibmcloud.com/vulnerabilities/116484
- https://packetstormsecurity.com/files/138567
- https://www.exploit-db.com/exploits/40324/
- https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php
FAQ
What is CVE-2016-20026?
CVE-2016-20026 is a vulnerability with a CVSS score of 9.8 (CRITICAL). ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hard...
How severe is CVE-2016-20026?
CVE-2016-20026 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-20026?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.