What is CVE-2016-20026?

CVE-2016-20026 is a critical-severity vulnerability in Zkteco Inc. Zkbiosecurity, classified under Use of Hard-coded Credentials. CVSS score: 9.8/10. Published 2026-03-15.

How severe is CVE-2016-20026?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Vulnerability in Zkteco Inc. Zkbiosecurity

CVE-2016-20026

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-user…

EPSS: 0.001 (22.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Zkteco Inc. Zkbiosecurity — versions 3.0.1.0_R_230

Weakness classification (CWE)

CWE-798 — Use of Hard-coded Credentials

References

Zero Science Lab Disclosure (third-party-advisory)
CXSecurity (third-party-advisory)
IBM X-Force Exchange (vdb-entry)
Packet Storm Security (exploit)
Reference (exploit)
VulnCheck Advisory: ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution (third-party-advisory)

Frequently asked questions

What is CVE-2016-20026?: CVE-2016-20026 is a critical-severity vulnerability in Zkteco Inc. Zkbiosecurity, classified under Use of Hard-coded Credentials. CVSS score: 9.8/10. Published 2026-03-15.
How severe is CVE-2016-20026?: Critical severity. CVSS v3 base score is 9.8 out of 10.