CVE-2016-20024

CRITICAL

ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions Privilege Escalation

Title source: cna

Description

ZKTeco ZKTime.Net 3.0.1.6 contains an insecure file permissions vulnerability that allows unprivileged users to escalate privileges by modifying executable files. Attackers can exploit world-writable permissions on the ZKTimeNet3.0 directory and its contents to replace executable files with malicious binaries for privilege escalation.

Exploits (1)

exploitdb WRITEUP

by LiquidWorm · textlocalwindows

https://www.exploit-db.com/exploits/40322

View Code ZIP pw:eip

References (6)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5360.php

[Third Party Advisory] https://cxsecurity.com/issue/WLB-2016080264

[Vdb Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/116487

[Exploit] https://packetstormsecurity.com/files/138565

[Exploit] https://www.exploit-db.com/exploits/40322/

[Third Party Advisory] https://www.vulncheck.com/advisories/zkteco-zktime-net-insecure-file-permissions-privilege-escalation

Scores

CVSS v3 9.8

EPSS 0.0003

EPSS Percentile 8.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-538

Status published

Products (3)

ZKTeco Inc./ZKTeco ZKTime.Net 3.0.1.1 (160216)

ZKTeco Inc./ZKTeco ZKTime.Net 3.0.1.5 (160622)

ZKTeco Inc./ZKTeco ZKTime.Net 3.0.1.6

Published Mar 16, 2026

Tracked Since Mar 16, 2026