Medium severity5.5NVD Advisory· Published Mar 16, 2026· Updated Apr 15, 2026

CVE-2016-20031

Description

ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cxsecurity.com/issue/WLB-2016090003nvd
exchange.xforce.ibmcloud.com/vulnerabilities/116488nvd
packetstormsecurity.com/files/138571nvd
www.exploit-db.com/exploits/40327/nvd
www.vulncheck.com/advisories/zkteco-zkbiosecurity-local-authorization-bypass-via-vislogin-jspnvd
www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.phpnvd

News mentions

No linked articles in our index yet.

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000