CVE-2016-20026
Deferred Deferred - Pending Action
Hardcoded Credentials in ZKTeco Tomcat Enable Remote Code Execution

Publication date: 2026-03-16

Last updated on: 2026-06-08

Assigner: VulnCheck

Description
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-06-08
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-14
NVD
CVE-2016-20026
EUVD
EUVD-2016-10807
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
zkteco zkbiosecurity 3.0.1.0_r_230
zkteco zkbiosecurity 3.0.1.0
zkteco zkbiosecurity *
zkteco zkbiosecurity 3.0
apache tomcat *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ZKTeco ZKBioSecurity 3.0, where the bundled Apache Tomcat server contains hardcoded credentials. These credentials are stored in the tomcat-users.xml file and allow unauthenticated attackers to access the Tomcat manager application.

Attackers can use these hardcoded credentials to upload malicious WAR archives containing JSP applications, which enables them to execute arbitrary code on the system with SYSTEM privileges.

Impact Analysis

The vulnerability allows attackers to gain unauthorized access to the Tomcat manager application without authentication.

By uploading malicious WAR files, attackers can execute arbitrary code with SYSTEM-level privileges, potentially leading to full system compromise.

This can result in data theft, system disruption, installation of malware, or further attacks within the affected environment.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2016-20026. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart