CVE-2016-20024

Description

ZKTeco ZKTime.Net 3.0.1.6 contains an insecure file permissions vulnerability that allows unprivileged users to escalate privileges by modifying executable files. Attackers can exploit world-writable permissions on the ZKTimeNet3.0 directory and its contents to replace executable files with malicious binaries for privilege escalation.

PUBLISHED Reserved 2026-03-15 | Published 2026-03-15 | Updated 2026-03-16 | Assigner VulnCheck

Problem types

Insertion of Sensitive Information into Externally-Accessible File or Directory

Product status

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5360.php (Zero Science Lab Disclosure) third-party-advisory

cxsecurity.com/issue/WLB-2016080264 (CXSecurity) third-party-advisory

exchange.xforce.ibmcloud.com/vulnerabilities/116487 (IBM X-Force Exchange) vdb-entry

packetstormsecurity.com/files/138565 (Packet Storm Security) exploit

www.exploit-db.com/exploits/40322/ (Reference) exploit

www.vulncheck.com/...e-file-permissions-privilege-escalation (VulnCheck Advisory: ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions Privilege Escalation) third-party-advisory

cve.org (CVE-2016-20024)

nvd.nist.gov (CVE-2016-20024)

Download JSON