CVE Catalog

CVE-2016-20026

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Summary

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.

Risk Assessment

The risk to the organization involves the potential for remote code execution by attackers, which could lead to system takeover and data leakage. Exploiting this vulnerability could result in serious consequences for the security and integrity of the system.

Recommendation

It is recommended to remove hardcoded credentials and secure access to the Tomcat manager application. A security audit should also be conducted, and the system should be updated to the latest version to minimize risk.

Original NVD description (English source)

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS