PatchSiren cyber security CVE debrief
CVE-2016-20026 ZKTeco Inc. CVE debrief
CVE-2016-20026 is a critical vulnerability in ZKTeco ZKBioSecurity 3.0. The vulnerability exists due to hardcoded credentials in the bundled Apache Tomcat server, allowing unauthenticated attackers to access the manager application. Attackers can authenticate with these hardcoded credentials, stored in tomcat-users.xml, to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.
- Vendor
- ZKTeco Inc.
- Product
- ZKTeco ZKBioSecurity
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-16
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-03-16
- Advisory updated
- 2026-06-08
Who should care
Administrators and users of ZKTeco ZKBioSecurity 3.0 should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability has a CVSS score of 9.3 and is classified as CRITICAL. It allows attackers to execute arbitrary code with SYSTEM privileges.
Defensive priority
High
Recommended defensive actions
- Update ZKTeco ZKBioSecurity 3.0 to a version that does not contain hardcoded credentials.
- Change the default credentials of the Apache Tomcat server.
- Restrict access to the manager application.
Evidence notes
The vulnerability was reported by an unknown vendor and has a low confidence level.
Official resources
CVE-2016-20026 was published on March 16, 2026, and modified on June 8, 2026.