Hard-coded Key Vulnerability in ZKTeco WL20 Device
CVE-2025-55279

6.9MEDIUM

Key Information:

Vendor: Zkteco Co
Status: Wl20 Biometric Attendance System
Vendor: CVE Published:; 13 August 2025

What is CVE-2025-55279?

A vulnerability has been identified in the ZKTeco WL20 due to the presence of a hard-coded private key stored in plaintext in the device firmware. This situation poses a significant security risk, as an attacker with physical access to the device can extract and analyze the firmware to unearth the sensitive key. The exploitation of this vulnerability may lead to unauthorized decryption of confidential data and enable Man-in-the-Middle (MitM) attacks, compromising the device's integrity and user confidentiality.

Affected Version(s)

WL20 Biometric Attendance System <=ZLM31-FXO1-3.1.8

References

https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOT...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Physical

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 13, 2025
Vulnerability Reserved
Aug 12, 2025

Credit

This vulnerability is reported by Shravan Singh from Kavach IoT Security.