CVE-2016-20026
CRITICAL SEVERITYCVSS Score & Metrics
Base Score
9.8 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Description
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-798
Source
NVD
Vendor
ZKTeco Inc.
Product
ZKTeco ZKBioSecurity
External References
- https://cxsecurity.com/issue/WLB-2016080266
- https://exchange.xforce.ibmcloud.com/vulnerabilities/116484
- https://packetstormsecurity.com/files/138567
- https://www.exploit-db.com/exploits/40324/
- https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php
Discussion (0)
Add Comment
No comments yet. Be the first!