CVE-2016-20031
MediumCVSS 5.5Summary
ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests.
Risk Assessment
Attackers can access sensitive information and perform unauthorized actions, posing a serious security threat to the organization.
Recommendation
It is recommended to update ZKTeco ZKBioSecurity to the latest version and implement additional security measures to mitigate the risk of this vulnerability.
Original NVD description (English source)
ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.

