QwikSec

Security Database

CVE

CWE

Training

CVE-2016-20031

Published: Mar 15, 2026

Modified: Mar 16, 2026

PUBLISHED

CVSS v3.1

5.5

MEDIUM

Description

ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.

Vendor	Product	Versions
ZKTeco Inc.	ZKTeco ZKBioSecurity	affected `3.0.1.0_R_230`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

Zero Science Lab Disclosure

third-party-advisory

third-party-advisory

IBM X-Force Exchange

vdb-entry

Packet Storm Security

exploit

exploit

VulnCheck Advisory: ZKTeco ZKBioSecurity 3.0 Local Authorization Bypass via visLogin.jsp

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.