ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 6
https://cxsecurity.com/issue/WLB-2016090003
disclosure@vulncheck.com
https://exchange.xforce.ibmcloud.com/vulnerabilities/116488
disclosure@vulncheck.com
https://packetstormsecurity.com/files/138571
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/40327/
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-local-authorization-b…
disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php
disclosure@vulncheck.com