CVE-2016-20031

Description

ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.

PUBLISHED Reserved 2026-03-15 | Published 2026-03-15 | Updated 2026-03-16 | Assigner VulnCheck

Problem types

Use of Hard-coded Credentials

Product status

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php (Zero Science Lab Disclosure) third-party-advisory

cxsecurity.com/issue/WLB-2016090003 (CXSecurity) third-party-advisory

exchange.xforce.ibmcloud.com/vulnerabilities/116488 (IBM X-Force Exchange) vdb-entry

packetstormsecurity.com/files/138571 (Packet Storm Security) exploit

www.exploit-db.com/exploits/40327/ (Reference) exploit

www.vulncheck.com/...l-authorization-bypass-via-vislogin-jsp (VulnCheck Advisory: ZKTeco ZKBioSecurity 3.0 Local Authorization Bypass via visLogin.jsp) third-party-advisory

cve.org (CVE-2016-20031)

nvd.nist.gov (CVE-2016-20031)

Download JSON