ZKTeco WL20 Hard-Coded Private Key Vulnerability Allowing Unauthorized Decryption and Man-in-the-Middle Attacks
Vulnerability
A vulnerability exists in the ZKTeco WL20 Biometric Attendance System due to a hard-coded private key stored in plaintext within the device firmware. This vulnerability can be exploited by an attacker with physical access who extracts the firmware and analyzes the binary data to retrieve the private key. Successful exploitation could enable unauthorized decryption of sensitive data and Man-in-the-Middle (MitM) attacks on the affected device.
Impact
Exploitation of this vulnerability could allow an attacker to perform unauthorized decryption of sensitive data and conduct Man-in-the-Middle attacks on the targeted device.
Remediation
Users are advised to upgrade the ZKTeco WL20 Biometric Attendance System firmware to version ZLM31-FXO1-4.0.3. If no update is available, discontinue use of the product and implement physical security controls to prevent unauthorized access to the device.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.