Vulnerabilities in ZKTeco Biometric Terminals
How safe is your fingerprint or face scan? What if someone could replicate your biometric data with a fake QR code, or access your identity just by plugging into a terminal with a USB drive? If an attacker could lift your fingerprint or copy your facial recognition data, could they use it to walk straight into your office—or a secure government facility—without leaving a trace? In the world of physical security, biometrics have long been viewed as the gold standard for seamless, high-assurance authentication. But what happens when the very systems meant to protect us become the vector for attack?
Recent revelations have exposed weaknesses in some of the world’s most widely deployed biometric terminals. In an investigation, Kaspersky researchers uncovered 24 critical vulnerabilities in ZKTeco devices—used globally in hospitals, data centers, airports, and industrial sites. These flaws don’t just represent theoretical risks. They provide attackers with practical methods to bypass identity checks, implant malware, and even extract and reuse biometric templates—data that, unlike passwords, you can't simply change.
This article will unpack the technical details behind these vulnerabilities, examine the physical attack vectors that real-world adversaries could exploit, and highlight the deeper risks facing modern biometric security. Whether you're in physical penetration testing, corporate security, or digital forensics, understanding these exploits is no longer optional—it's essential.
The Vulnerabilities
ZKTeco’s biometric terminals, deployed in sensitive locations around the world, are riddled with 24 critical vulnerabilities that span both hardware and software layers. These flaws are not just bugs—they represent concrete attack vectors that adversaries can chain together to gain full control over authentication systems, steal unchangeable personal data, and establish long-term persistence within a physical environment.
Breakdown of the discovered vulnerabilities:
6 SQL Injection vulnerabilities
These flaws allow attackers to manipulate backend databases by injecting malicious SQL commands. This could let them view or alter user records, extract biometric templates, or escalate privileges to gain administrative access.7 Buffer Stack Overflow vulnerabilities
These memory handling issues can be triggered to overwrite parts of system memory. Attackers can exploit them to execute arbitrary code, crash the device, or implant persistent malware by hijacking process control.5 Command Injection vulnerabilities
Insecure input handling allows system commands to be executed directly through user input—giving attackers remote control capabilities, such as downloading malware or disabling logging mechanisms.4 Arbitrary File Write vulnerabilities
Attackers can use these to overwrite critical system files—modifying configuration settings, injecting startup scripts, or replacing binaries to maintain control or disable security features.2 Arbitrary File Read vulnerabilities
These provide unauthorized access to sensitive system files—such as user credentials, stored logs, or biometric data—without proper authentication.
Individually, they expose sensitive data or permit tampering. When chained, they allow full device compromise, from spoofing identities and stealing credentials to embedding rootkits and rerouting network traffic.
In addition to the above, researchers found vulnerabilities in QR code parsing, weak SSH access protections, and the ability to extract biometric templates in plaintext. Since these terminals are often networked and exposed in public or semi-public environments, the attack surface is enormous.
This range of vulnerabilities shows not just lapses in secure coding, but a systemic failure in designing biometric systems with attacker behavior in mind—especially physical adversaries who can get close to, or even interact with, these devices directly.
Attack Routes
In order to actually attack these machines, with either need physical access to them, or in the best case scenario (for the attackers) these systems will be wired up to the internal, or in an incredibly stupid situation external, network. However, from a threat perspective, its useful to look at this through the two obvious lenses of insider and outsider threats.
In the case of the ZKTeco biometric vulnerabilities, the difference between an insider and an outsider threat is mostly one of perception, not access. Both threat actors can exploit the same weaknesses using identical methods; the only real variable is trust.
An insider, such as an employee or contractor, already moves freely through the environment and is rarely questioned. With minimal scrutiny, they can plug in a USB, spoof QR codes, or extract biometric templates using the known command injection or file write flaws, often under the guise of routine work.
An outsider, meanwhile, can gain similar proximity by posing as a technician or vendor. A clipboard and confidence can go a long way. Once near the terminal, they can execute the same exploits as an insider: planting backdoors, pulling biometric data, or disabling logging.
Both threats are especially effective after hours, when only cleaning crews are present, people unlikely to question someone “fixing” a terminal. During this quiet window, attackers gain time, cover, and plausible deniability.
Bottom line: insider or outsider, the attack vector is the same. The only thing that changes is the badge, and even that can be faked.
The Threats from These Vulnerabilities
The ZKTeco biometric vulnerabilities open the door to several high-probability, high-impact threats:
Biometric Theft
Attackers can extract fingerprint or facial templates via SQL injection or file read flaws. These are permanent identifiers—once stolen, they can't be changed. Stolen templates can be reused in spoofing attacks or sold on black markets.
This is likely the one that I would be the most concerned about as you can not only steal the data of other users, but this theft could likely give you access to other facilities that those same users would have access to.
In the past, I have used similar tricks where you go to a target’s branch office where security is low, steal / copy / clone physical credentials, ID cards for example, and then use them on the target’s HQ or location with much higher security where you now have a valid badge and access.
So in this instance, you may steal the biometrics from a branch location with low security, then leverage that to get into something like a data center.
Physical Access Bypass
QR spoofing or authentication bypass lets attackers unlock secured doors with fake credentials—gaining entry to sensitive areas without detection.
This is probably my second highest security risk, in my opinion, as if the QR is static than a simple photo would allow you to bypass any location that user has access to. But being able to spoof an access credential is itself a huge issue for physical security.
Backdoor Installation
Exploiting buffer overflows or file write flaws, attackers can plant malware or persistent access mechanisms. This allows long-term control over the device, including stealth access or disabling logs.
Network Pivoting
Compromised terminals can be used to scan internal networks, access other systems, or spread malware—turning physical entry points into digital beachheads.
This has the potential to be a huge security issue, but would obviously depend greatly on how the internal network was setup and what the machines have access to.
Conclusion
Obviously testing these systems and identifying these findings are what should happen in the security process. What will be interesting to see is how many users of these biometric systems actually update and patch out these vulnerabilities (assuming these are actually patched by the vendor), and what is the latency between the finding’s discovery and actual remediation of these systems.
In the meantime however, these vulnerabilities are certainly something security from both defense and offense should be aware of check for.