CVE-2016-20024: ZKTeco ZKTime.Net Insecure File Permissions Allow Privilege Escalation

CVE-2016-20024: ZKTeco ZKTime.Net World-Writable Directory Enables Local Privilege Escalation

A local privilege escalation vulnerability has been formally assigned and published in the NIST National Vulnerability Database for ZKTeco ZKTime.Net 3.0.1.6, tracked as CVE-2016-20024 (CVSS 9.8, Critical). The vulnerability arises from insecure directory permissions that allow any unprivileged local user to replace application executables with arbitrary malicious code — achieving privilege escalation to the context under which the ZKTime.Net service runs.

Although the CVE identifier references 2016, this entry was published to the NVD on March 16, 2026, indicating formal disclosure and CVE assignment has only recently occurred. Organizations still running this software version are advised to patch or mitigate immediately.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2016-20024
CVSS Score	9.8 (Critical)
CWE Classification	CWE-276 — Incorrect Default Permissions
Affected Product	ZKTeco ZKTime.Net 3.0.1.6
Attack Vector	Local — requires access to the host system
Privileges Required	None (any local user account)
User Interaction	None
Scope	Changed — privilege escalation to service account
Patch Available	See vendor guidance

Technical Background

ZKTime.Net is a widely deployed time and attendance management platform produced by ZKTeco, a Chinese manufacturer of biometric access control and workforce management systems. The software is used by HR and payroll departments globally to integrate with biometric fingerprint readers, card readers, and RFID attendance terminals.

The vulnerability stems from the installation routine setting world-writable permissions (Everyone: Full Control) on the ZKTimeNet3.0 installation directory and all files within it. This means:

Any local user account on the Windows host — including low-privileged service accounts, domain users, or guest accounts — can modify or replace the application's executable files
When the ZKTime.Net service or application is next launched (or restarted), the replaced executable runs in the privilege context of the service or the user who starts it
If the service runs as LocalSystem, NetworkService, or a domain administrator, the attacker achieves that privilege level

Attack Flow

1. Attacker gains any local access to the Windows host running ZKTime.Net
   (domain user account, remote desktop, lateral movement, etc.)
 
2. Attacker enumerates ZKTime.Net installation directory:
   icacls "C:\Program Files (x86)\ZKTimeNet3.0"
   → Output shows Everyone:(OI)(CI)(F) — Full Control to all users
 
3. Attacker replaces ZKTimeNet3.0 executable or a loaded DLL with a
   malicious payload (reverse shell, credential dumper, etc.):
   copy malicious.exe "C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet3.exe"
 
4. Attacker triggers a service restart, waits for scheduled restart,
   or social-engineers an administrator to relaunch the application
 
5. Malicious payload executes in the context of the service account
   (often LocalSystem), achieving full privilege escalation

Affected Environments

ZKTime.Net is commonly deployed in:

Manufacturing facilities — factory floor attendance tracking
Healthcare — staff time and attendance management
Retail — shift and hourly worker management
Educational institutions — staff attendance systems
Government facilities — where physical access and attendance are co-managed

The software typically runs on Windows Server infrastructure and integrates directly with HR/payroll platforms, making it a high-value pivot target on corporate networks.

Remediation

Primary Fix

Contact ZKTeco for an updated version of ZKTime.Net that installs with restrictive directory permissions. Reference CVE-2016-20024 when requesting a patch.

Immediate Mitigation (Before Patching)

Restrict permissions on the ZKTime.Net installation directory:

# Remove world-writable permissions and restrict to Administrators only
$path = "C:\Program Files (x86)\ZKTimeNet3.0"
 
# Remove inherited permissions and existing entries
icacls $path /inheritance:d /remove:g "Everyone"
 
# Grant Administrators full control
icacls $path /grant:r "BUILTIN\Administrators:(OI)(CI)(F)"
 
# Grant SYSTEM full control (for the service)
icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)(F)"
 
# Grant the specific service account read + execute only
icacls $path /grant:r "NT SERVICE\ZKTimeNet:(OI)(CI)(RX)"
 
# Verify results
icacls $path

Service Account Hardening

Run the ZKTime.Net service under a dedicated low-privilege service account rather than LocalSystem or an administrator account
Apply the principle of least privilege: the service account should have only the permissions required to read configuration and write attendance logs
Enable Windows Defender Credential Guard to limit lateral movement if the service account is compromised

Detection

# Check current permissions on ZKTime.Net directory
icacls "C:\Program Files (x86)\ZKTimeNet3.0"
 
# Look for "Everyone" or "Authenticated Users" with write/full access
# Flag: (W), (M), (F), or (CI)(OI)(F) entries for broad groups
 
# Monitor for executable replacements in the installation directory
Get-ChildItem "C:\Program Files (x86)\ZKTimeNet3.0" -Include *.exe,*.dll |
  Select-Object Name, LastWriteTime, Length | Sort-Object LastWriteTime -Descending

Unexpected changes to .exe or .dll file timestamps in the installation directory should be treated as a potential indicator of compromise.

Impact Assessment

Impact Area	Description
Privilege Escalation	Full escalation to service account privileges (potentially LocalSystem)
Persistence	Attacker can maintain persistent access via trojanized executables
Lateral Movement	Service account credentials may allow further network traversal
Data Theft	Access to biometric data, employee PII, and attendance records
Exploitation Barrier	Requires local system access — limits remote-only attack scenarios
Blast Radius	Any Windows host running ZKTime.Net 3.0.1.6 is affected

Key Takeaways

CVE-2016-20024 is a local privilege escalation flaw in ZKTeco ZKTime.Net 3.0.1.6 caused by world-writable installation directory permissions
CVSS 9.8 (Critical) — any local user can replace application executables and escalate privileges
Immediate mitigation: Harden directory permissions using icacls to restrict write access to Administrators and SYSTEM only
Service hardening: Run ZKTime.Net under a dedicated low-privilege service account, not LocalSystem
Contact ZKTeco for a patched installer that sets correct permissions by default

Sources

CVE-2016-20024 — NIST NVD

CVE-2016-20024: ZKTeco ZKTime.Net World-Writable Directory Enables Local Privilege Escalation

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2016-20024
CVSS Score	9.8 (Critical)
CWE Classification	CWE-276 — Incorrect Default Permissions
Affected Product	ZKTeco ZKTime.Net 3.0.1.6
Attack Vector	Local — requires access to the host system
Privileges Required	None (any local user account)
User Interaction	None
Scope	Changed — privilege escalation to service account
Patch Available	See vendor guidance

Technical Background

The vulnerability stems from the installation routine setting world-writable permissions (Everyone: Full Control) on the ZKTimeNet3.0 installation directory and all files within it. This means:

Any local user account on the Windows host — including low-privileged service accounts, domain users, or guest accounts — can modify or replace the application's executable files
When the ZKTime.Net service or application is next launched (or restarted), the replaced executable runs in the privilege context of the service or the user who starts it
If the service runs as LocalSystem, NetworkService, or a domain administrator, the attacker achieves that privilege level

Attack Flow

1. Attacker gains any local access to the Windows host running ZKTime.Net
   (domain user account, remote desktop, lateral movement, etc.)
 
2. Attacker enumerates ZKTime.Net installation directory:
   icacls "C:\Program Files (x86)\ZKTimeNet3.0"
   → Output shows Everyone:(OI)(CI)(F) — Full Control to all users
 
3. Attacker replaces ZKTimeNet3.0 executable or a loaded DLL with a
   malicious payload (reverse shell, credential dumper, etc.):
   copy malicious.exe "C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet3.exe"
 
4. Attacker triggers a service restart, waits for scheduled restart,
   or social-engineers an administrator to relaunch the application
 
5. Malicious payload executes in the context of the service account
   (often LocalSystem), achieving full privilege escalation

Affected Environments

ZKTime.Net is commonly deployed in:

Manufacturing facilities — factory floor attendance tracking
Healthcare — staff time and attendance management
Retail — shift and hourly worker management
Educational institutions — staff attendance systems
Government facilities — where physical access and attendance are co-managed

The software typically runs on Windows Server infrastructure and integrates directly with HR/payroll platforms, making it a high-value pivot target on corporate networks.

Remediation

Primary Fix

Contact ZKTeco for an updated version of ZKTime.Net that installs with restrictive directory permissions. Reference CVE-2016-20024 when requesting a patch.

Immediate Mitigation (Before Patching)

Restrict permissions on the ZKTime.Net installation directory:

# Remove world-writable permissions and restrict to Administrators only
$path = "C:\Program Files (x86)\ZKTimeNet3.0"
 
# Remove inherited permissions and existing entries
icacls $path /inheritance:d /remove:g "Everyone"
 
# Grant Administrators full control
icacls $path /grant:r "BUILTIN\Administrators:(OI)(CI)(F)"
 
# Grant SYSTEM full control (for the service)
icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)(F)"
 
# Grant the specific service account read + execute only
icacls $path /grant:r "NT SERVICE\ZKTimeNet:(OI)(CI)(RX)"
 
# Verify results
icacls $path

Service Account Hardening

Run the ZKTime.Net service under a dedicated low-privilege service account rather than LocalSystem or an administrator account
Apply the principle of least privilege: the service account should have only the permissions required to read configuration and write attendance logs
Enable Windows Defender Credential Guard to limit lateral movement if the service account is compromised

Detection

# Check current permissions on ZKTime.Net directory
icacls "C:\Program Files (x86)\ZKTimeNet3.0"
 
# Look for "Everyone" or "Authenticated Users" with write/full access
# Flag: (W), (M), (F), or (CI)(OI)(F) entries for broad groups
 
# Monitor for executable replacements in the installation directory
Get-ChildItem "C:\Program Files (x86)\ZKTimeNet3.0" -Include *.exe,*.dll |
  Select-Object Name, LastWriteTime, Length | Sort-Object LastWriteTime -Descending

Unexpected changes to .exe or .dll file timestamps in the installation directory should be treated as a potential indicator of compromise.

Impact Assessment

Impact Area	Description
Privilege Escalation	Full escalation to service account privileges (potentially LocalSystem)
Persistence	Attacker can maintain persistent access via trojanized executables
Lateral Movement	Service account credentials may allow further network traversal
Data Theft	Access to biometric data, employee PII, and attendance records
Exploitation Barrier	Requires local system access — limits remote-only attack scenarios
Blast Radius	Any Windows host running ZKTime.Net 3.0.1.6 is affected

Key Takeaways

CVE-2016-20024 is a local privilege escalation flaw in ZKTeco ZKTime.Net 3.0.1.6 caused by world-writable installation directory permissions
CVSS 9.8 (Critical) — any local user can replace application executables and escalate privileges
Immediate mitigation: Harden directory permissions using icacls to restrict write access to Administrators and SYSTEM only
Service hardening: Run ZKTime.Net under a dedicated low-privilege service account, not LocalSystem
Contact ZKTeco for a patched installer that sets correct permissions by default

Sources

CVE-2016-20024 — NIST NVD

CVE-2016-20024: ZKTeco ZKTime.Net Insecure File Permissions Allow Privilege Escalation

Affected Products

CVE-2016-20024: ZKTeco ZKTime.Net World-Writable Directory Enables Local Privilege Escalation

Vulnerability Overview

Technical Background

Attack Flow

Affected Environments

Remediation

Primary Fix

Immediate Mitigation (Before Patching)

Service Account Hardening

Detection

Impact Assessment

Key Takeaways

Sources

CVE-2016-20026: ZKTeco ZKBioSecurity 3.0 Hardcoded Tomcat Credentials Allow Unauthenticated RCE

CVE-2016-20030: ZKTeco ZKBioSecurity 3.0 Username Enumeration via Login Endpoint

CVE-2026-22172: OpenClaw Critical Authorization Bypass via WebSocket Scope Elevation

CVE-2016-20024: ZKTeco ZKTime.Net Insecure File Permissions Allow Privilege Escalation

Affected Products

CVE-2016-20024: ZKTeco ZKTime.Net World-Writable Directory Enables Local Privilege Escalation

Vulnerability Overview

Technical Background

Attack Flow

Affected Environments

Remediation

Primary Fix

Immediate Mitigation (Before Patching)

Service Account Hardening

Detection

Impact Assessment

Key Takeaways

Sources

CVE-2016-20026: ZKTeco ZKBioSecurity 3.0 Hardcoded Tomcat Credentials Allow Unauthenticated RCE

CVE-2016-20030: ZKTeco ZKBioSecurity 3.0 Username Enumeration via Login Endpoint

CVE-2026-22172: OpenClaw Critical Authorization Bypass via WebSocket Scope Elevation