PatchSiren cyber security CVE debrief
CVE-2016-20028 ZKTeco Inc. CVE debrief
CVE-2016-20028 is a medium-severity cross-site request forgery (CSRF) vulnerability in ZKTeco ZKBioSecurity 3.0. The vulnerability allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages.
- Vendor
- ZKTeco Inc.
- Product
- ZKTeco ZKBioSecurity
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-16
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-03-16
- Advisory updated
- 2026-06-08
Who should care
Administrators and users of ZKTeco ZKBioSecurity 3.0 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.3 and is classified as medium severity. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
medium
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the vulnerability.
- Implement CSRF protection mechanisms to prevent similar attacks.
- Educate users about the risks of visiting malicious websites and the importance of being cautious when clicking on links.
Evidence notes
The vulnerability was reported by an unknown vendor and has a low confidence level. The evidence includes references from various sources, including Cxsecurity, Xforce, Packetstormsecurity, Exploit-db, Vulncheck, and Zero Science.
Official resources
CVE-2016-20028 was published on 2026-03-16T14:17:49.333Z and modified on 2026-06-08T16:16:32.553Z.