—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in ZKTeco WL20 Biometric Attendance System 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

ZKTeco WL20 Biometric Attendance System: Version ZLM31-FXO1-3.1.8 and earlier

Overview

Multiple vulnerabilities have been reported in ZKTeco WL20, which could allow an attacker to gain unauthorized access to sensitive information and Message Queuing Telemetry Transport (MQTT) broker associated with the targeted device.

Target Audience:

End-users/ Administrators of ZKTeco WL20 Biometric Attendance System

Risk Assessment:

Risk of exposure of credentials, private keys, configuration data, system data and MQTT endpoints.

Impact Assessment:

Impact on confidentiality and integrity of the vulnerable device.

Description

The ZKTeco WL20 Biometric Attendance System is a fingerprint-based time & attendance terminal equipped with Wi‑Fi connectivity.

1. Cleartext Storage Vulnerability ( CVE-2025-54464   )

This vulnerability exists in ZKTeco WL20 due to storage of admin and user credentials without encryption in the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the unencrypted credentials stored in the firmware of targeted device. 

2. Hard-coded Credentials Vulnerability ( CVE-2025-54465   )

This vulnerability exists in ZKTeco WL20 due to hard-coded MQTT credentials and endpoints stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve the hard-coded MQTT credentials and endpoints from the targeted device.

Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the MQTT broker and manipulate the communications of the targeted device.

3. Hard-coded Private Key Vulnerability ( CVE-2025-55279   )

This vulnerability exists in ZKTeco WL20 due to hard-coded private key stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve private key stored in the firmware of the targeted device.

Successful exploitation of this vulnerability could allow the attacker to perform unauthorized decryption of sensitive data and Man-in-the-Middle (MitM) attacks on the targeted device.

4. Information Disclosure Vulnerability ( CVE-2025-55280   )

This vulnerability exists in ZKTeco WL20 due to storage of Wi-Fi credentials, configuration data and system data in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the plaintext sensitive data stored in the targeted device. 

Successful exploitation of this vulnerability could allow the attacker to gain unauthorized network access, retrieve and manipulate data on the targeted device.

Credit

These vulnerabilities are reported by Shravan Singh from Kavach IoT Security.

Solution

CVE-2025-54464 and CVE-2025-54465: Upgrade ZKTeco WL20 Biometric Attendance System firmware to version ZLM31-FXO1-4.0.3.

https://www.zkteco.com/en/Security_Bulletinsibs/20

CVE-2025-55279 and CVE-2025-55280:

Apply mitigations as per vendor instructions (whenever available) or discontinue the use of the product if mitigations are unavailable. 

Perform risk assessment and implement physical security controls to prevent unauthorized access to the device.

Vendor Information

ZKTeco Co

https://www.zkteco.com/en/Security_Bulletinsibs/20

References

ZKTeco Co

https://www.zkteco.com/en/Security_Bulletinsibs/20

CVE Name

CVE-2025-54464

CVE-2025-54465

CVE-2025-55279

CVE-2025-55280

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmickjcACgkQ3jCgcSdc

ys85eQ/6Ay8bQlbGEtvrITEDdn9c87mZ6cPY7etigmmIfZWj7PNsfD/mxE3sT865

xKlCq6OBuIprLi0o/jW1hbut1oQ9wZ5Ykz0FqIXZDOIKziAlYWl/N+YNKJHsijO1

W+npv2Q2jVPU4vOKnRVZfjtBUFlBKpKSZjFkRlOrtAKV/q0Yx3LrMdk6s58UYd3x

Ws2W8CPDHcejLGk9TNmTtoG78WPcGujxsL1M9CpK0SK2NPljTDm0Y1IC/KC2vBnM

hYzEMLYCN6EtYOI523jdcM/EcDgQ3PelwGxHSR90iAdbpWBuLLsidwmtoJxuP+wx

SX4rk8bIuvYxolIw+NbC0tmOfBPkavNLRK2UFXUrIVlBmfu2X2SuszWMc49ZCggD

XFbHnK48pP5NEZWJoNTI6GdpF7qRhThTbU2ECOz089RlFn2CVCm1ZTFmNpfgOQry

TutAiBgsCzICOIABU1Gqx8vu9H7ZRk1JK6DhcwWZb16lGGWWZS8j9eKck9OH9M81

nm/mHUfVQhmaigzhtqlg1nHgrm7yogb2TFc43fhooY73nYh9HaHqLR+Ge2rhZ2UD

Yl26eG80vO4k2D/Cf63J1fFqjNGNsQQz7c8ya3XHNAXpO+XbmyUrnfYRBbeeLP8A

wsK8gnBerxBBYkBXI3IxwL6vLxhN8UpccpKqL44wGTRDMpX4YHQ=

=vsw1

—–END PGP SIGNATURE—–