Cyber Resilience

CVE-2016-20026

CriticalPublic PoCUpdated

Published: 16 March 2026

Published
16 March 2026
Modified
08 June 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0078 51.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2016-20026 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).

Deeper analysis

ZKTeco ZKBioSecurity 3.0 suffers from CVE-2016-20026, a critical vulnerability involving hardcoded credentials embedded in the bundled Apache Tomcat server's tomcat-users.xml configuration file. This flaw grants unauthorized access to the Tomcat manager application, enabling attackers to deploy malicious web archives. The issue, classified under CWE-798 (Use of Hard-coded Credentials), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its severe potential for remote exploitation without prerequisites.

Unauthenticated remote attackers can exploit this vulnerability by authenticating to the Tomcat manager using the hardcoded credentials. Once authenticated, they can upload arbitrary WAR archives containing malicious JSP applications, leading to remote code execution with SYSTEM-level privileges on the affected system. The attack requires no user interaction or privileges, making it highly accessible over the network.

Advisories and proof-of-concept exploits for this vulnerability are detailed in several references, including cxsecurity.com/issue/WLB-2016080266, exchange.xforce.ibmcloud.com/vulnerabilities/116484, packetstormsecurity.com/files/138567, www.exploit-db.com/exploits/40324, and www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution. These sources document the hardcoded credentials and exploitation steps but do not specify vendor-provided patches in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute…

more

arbitrary code with SYSTEM privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Hardcoded Tomcat manager credentials directly enable remote exploitation of a public-facing app to upload/deploy malicious WAR/JSP payloads achieving RCE via web shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-7401Shared CWE-798
CVE-2020-36911Shared CWE-798
CVE-2026-30701Shared CWE-798
CVE-2026-35503Shared CWE-798
CVE-2017-20234Shared CWE-798
CVE-2026-32834Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2026-27073Shared CWE-798
CVE-2026-25202Shared CWE-798
CVE-2025-56749Shared CWE-798

Affected Assets

Cxsecurity
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates changing default and hardcoded authenticators prior to first use, preventing exploitation of the known credentials in Tomcat's tomcat-users.xml.

prevent

Requires secure baseline configuration settings for the Tomcat server, including removal or modification of hardcoded credentials to block unauthorized manager access.

prevent

Ensures timely identification, reporting, and remediation of flaws like hardcoded credentials enabling RCE, through vulnerability monitoring and patching.

References