The use of hardcoded credentials in ZKTeco ZKBioSecurity 3.0 allows unauthenticated attackers to upload malicious applications and gain full SYSTEM-level control of the server.

The bundled Apache Tomcat server contains hardcoded credentials in the tomcat-users.xml file. Unauthenticated attackers can use these credentials to access the Tomcat Manager, upload malicious WAR files (JSP shells), and execute code with SYSTEM privileges.

This is a Critical vulnerability (CVSS 9.8) that results in total system compromise. An attacker can use the hardcoded credentials to bypass all security and gain the highest possible permissions on the host, leading to the theft of biometric data, physical security bypasses, and lateral movement.

Immediate Action: Update ZKBioSecurity to the latest version and manually change any default or hardcoded passwords in the tomcat-users.xml file immediately.

Proactive Monitoring: Check for the presence of unauthorized .war files in the Tomcat webapps directory and monitor for unusual JSP files being accessed.

Compensating Controls: Disable the Tomcat Manager application if it is not required for operational purposes and restrict access to the Tomcat management ports (typically 8080/8443) via firewall.

Public Exploit Available: No

This vulnerability represents a severe failure in security configuration. Organizations must treat this as an emergency update. If a patch cannot be applied, the bundled Tomcat configuration must be manually hardened to remove the hardcoded credentials and secure the Manager interface.