CVE-2016-20026 Overview
ZKTeco ZKBioSecurity 3.0 contains a critical hardcoded credentials vulnerability (CWE-798) in the bundled Apache Tomcat server that allows unauthenticated attackers to gain complete control over affected systems. The vulnerability exists because the application ships with hardcoded administrative credentials stored in the tomcat-users.xml configuration file, enabling remote attackers to access the Tomcat Manager application without any prior authentication.
Once authenticated to the Tomcat Manager, attackers can upload malicious WAR (Web Application Archive) files containing JSP (JavaServer Pages) applications. Since the Tomcat service typically runs with SYSTEM privileges on Windows installations, successful exploitation results in arbitrary code execution with the highest level of system access.
Critical Impact
Unauthenticated remote attackers can achieve SYSTEM-level code execution by leveraging hardcoded Tomcat credentials to deploy malicious web applications, potentially compromising physical access control systems and sensitive biometric data.
Affected Products
- ZKTeco ZKBioSecurity 3.0
- Apache Tomcat (bundled with ZKBioSecurity)
- Windows Server installations running ZKBioSecurity
Discovery Timeline
- 2026-03-16 - CVE-2016-20026 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2016-20026
Vulnerability Analysis
This vulnerability represents a fundamental security flaw in the software distribution model where sensitive credentials are embedded directly in configuration files. The tomcat-users.xml file, which controls access to administrative functions of the Apache Tomcat web server, contains static username and password combinations that are identical across all installations of ZKBioSecurity 3.0.
The impact is severe because ZKBioSecurity is a biometric security management platform used to control physical access to buildings and facilities. Compromise of this system could allow attackers to manipulate door access controls, exfiltrate biometric data (fingerprints, facial recognition templates), and pivot to other systems on the network.
The network-accessible nature of this vulnerability means that any attacker who can reach the Tomcat Manager interface on the network can exploit this flaw without any prerequisites beyond network connectivity.
Root Cause
The root cause is the inclusion of hardcoded credentials in the tomcat-users.xml configuration file that ships with ZKBioSecurity 3.0. This practice violates fundamental security principles as it creates identical authentication credentials across all deployments. The credentials grant access to the Tomcat Manager application, which provides administrative functions including the ability to deploy, undeploy, and manage web applications.
This type of vulnerability (CWE-798: Use of Hard-coded Credentials) is particularly dangerous because:
- Credentials cannot be changed without vendor intervention or manual configuration changes
- All installations share the same credentials, making exploitation trivial once discovered
- The credentials are stored in plain text within the file system
Attack Vector
The attack vector is network-based and requires no user interaction or prior privileges. An attacker follows this exploitation path:
- Discovery: Identify ZKBioSecurity installations by scanning for Tomcat Manager interfaces on common ports (typically 8080 or 8443)
- Authentication: Use the hardcoded credentials from tomcat-users.xml to authenticate to the Tomcat Manager application
- Payload Deployment: Upload a malicious WAR file containing a JSP web shell or reverse shell payload
- Code Execution: Access the deployed web application to execute arbitrary commands with SYSTEM privileges
The exploitation is straightforward because Tomcat Manager provides a built-in mechanism for deploying WAR files through both a web interface and HTTP API endpoints. Numerous public tools and scripts exist for automating this attack chain against exposed Tomcat Manager instances.
For detailed technical information and proof-of-concept code, see the Exploit-DB #40324 advisory and the Zero Science ZSL-2016-5362 Vulnerability disclosure.
Detection Methods for CVE-2016-20026
Indicators of Compromise
- HTTP requests to /manager/html, /manager/text, or /manager/status endpoints with successful authentication
- New or unexpected WAR files deployed to the Tomcat webapps directory
- JSP files appearing in web application directories that were not part of the original installation
- Outbound network connections originating from the Tomcat/Java process
- Unexpected processes spawned as child processes of the Tomcat service
Detection Strategies
- Monitor Tomcat access logs for authentication attempts to the Manager application, particularly from external IP addresses
- Implement file integrity monitoring on the webapps directory to detect unauthorized WAR deployments
- Configure network-based detection for HTTP POST requests to Tomcat Manager deployment endpoints
- Alert on any successful authentication to the Tomcat Manager from non-administrative source IPs
Monitoring Recommendations
- Enable detailed access logging for the Tomcat Manager application
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious process creation from the Tomcat service
- Implement network segmentation to isolate ZKBioSecurity systems from untrusted networks
- Monitor for unusual file system activity in Tomcat installation directories
How to Mitigate CVE-2016-20026
Immediate Actions Required
- Immediately change the default credentials in tomcat-users.xml to unique, strong passwords
- Disable or remove the Tomcat Manager application if it is not required for operations
- Restrict network access to the Tomcat Manager interface using firewall rules or IP allowlisting
- Review Tomcat logs for evidence of prior unauthorized access or WAR deployments
- Audit deployed web applications and remove any unauthorized or suspicious WAR files
Patch Information
Check with ZKTeco for updated versions of ZKBioSecurity that address this hardcoded credentials vulnerability. In the absence of a vendor patch, manual remediation of the tomcat-users.xml file is required to secure the installation.
Additional technical details and references are available from VulnCheck Advisory on ZKTeco RCE and IBM X-Force Vulnerability #116484.
Workarounds
- Replace hardcoded credentials in tomcat-users.xml with strong, unique credentials specific to each installation
- Remove the manager-gui, manager-script, and manager-jmx roles from all users if Tomcat Manager is not needed
- Configure the Tomcat Manager with IP-based access restrictions using the RemoteAddrValve
- Deploy a reverse proxy or web application firewall in front of the Tomcat server to restrict access to administrative endpoints
- Consider running ZKBioSecurity in an isolated network segment with no direct internet access
# Configuration example - Restrict Tomcat Manager access to localhost only
# Add to META-INF/context.xml in the manager application
# <Valve className="org.apache.catalina.valves.RemoteAddrValve"
# allow="127\.0\.0\.1|::1" />
# Remove or change default credentials in tomcat-users.xml
# Replace default entries with strong, unique credentials:
# <user username="admin" password="STRONG_RANDOM_PASSWORD" roles="manager-gui"/>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
