CVE-2016-20026
Published: 16 March 2026
Summary
CVE-2016-20026 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).
Deeper analysis
ZKTeco ZKBioSecurity 3.0 suffers from CVE-2016-20026, a critical vulnerability involving hardcoded credentials embedded in the bundled Apache Tomcat server's tomcat-users.xml configuration file. This flaw grants unauthorized access to the Tomcat manager application, enabling attackers to deploy malicious web archives. The issue, classified under CWE-798 (Use of Hard-coded Credentials), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its severe potential for remote exploitation without prerequisites.
Unauthenticated remote attackers can exploit this vulnerability by authenticating to the Tomcat manager using the hardcoded credentials. Once authenticated, they can upload arbitrary WAR archives containing malicious JSP applications, leading to remote code execution with SYSTEM-level privileges on the affected system. The attack requires no user interaction or privileges, making it highly accessible over the network.
Advisories and proof-of-concept exploits for this vulnerability are detailed in several references, including cxsecurity.com/issue/WLB-2016080266, exchange.xforce.ibmcloud.com/vulnerabilities/116484, packetstormsecurity.com/files/138567, www.exploit-db.com/exploits/40324, and www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution. These sources document the hardcoded credentials and exploitation steps but do not specify vendor-provided patches in the available information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-10807
Vulnerability details
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute…
more
arbitrary code with SYSTEM privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded Tomcat manager credentials directly enable remote exploitation of a public-facing app to upload/deploy malicious WAR/JSP payloads achieving RCE via web shell.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates changing default and hardcoded authenticators prior to first use, preventing exploitation of the known credentials in Tomcat's tomcat-users.xml.
Requires secure baseline configuration settings for the Tomcat server, including removal or modification of hardcoded credentials to block unauthorized manager access.
Ensures timely identification, reporting, and remediation of flaws like hardcoded credentials enabling RCE, through vulnerability monitoring and patching.