Security Flaw in ZKTeco WL20 Device Reveals Sensitive Data
CVE-2025-55280

5.2MEDIUM

Key Information:

Vendor: Zkteco Co
Status: Wl20 Biometric Attendance System
Vendor: CVE Published:; 13 August 2025

What is CVE-2025-55280?

The ZKTeco WL20 device contains a significant security flaw due to the storage of Wi-Fi credentials, configuration data, and system data in plaintext within its firmware. This weakness allows an attacker with physical access to the device to extract the firmware and reverse-engineer it, revealing sensitive plaintext data. Exploiting this flaw could enable unauthorized access to the network and the ability to retrieve or manipulate sensitive information stored on the device.

Affected Version(s)

WL20 Biometric Attendance System <=ZLM31-FXO1-3.1.8

References

https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOT...

third-party-advisory

CVSS V4

Score:

5.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Physical

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 13, 2025
Vulnerability Reserved
Aug 12, 2025

Credit

This vulnerability is reported by Shravan Singh from Kavach IoT Security.