Critical severity9.8NVD Advisory· Published Mar 16, 2026· Updated Apr 15, 2026

CVE-2016-20026

Description

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cxsecurity.com/issue/WLB-2016080266nvd
exchange.xforce.ibmcloud.com/vulnerabilities/116484nvd
packetstormsecurity.com/files/138567nvd
www.exploit-db.com/exploits/40324/nvd
www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-executionnvd
www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.phpnvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000