Historically, devices on the ZMM200/ZMM220 platform have been known to use various default login combinations for administrative access. While these can vary by firmware version, common default credentials often include:
More recently, CVE-2024-13966 was identified in ZKTeco BioTime software, allowing unauthenticated attackers to enumerate usernames and log in as any user whose password remains unchanged from the default value . While this primarily affects the BioTime software platform, it underscores the broader organizational risk of relying on unchanged default credentials.
If you own a ZMM220, treat it like any modern computer: reset it physically, use encrypted protocols (SSH), and store its unique password in a password manager. If you are a security researcher, this “update” is a positive sign—manufacturers are finally listening.
Because the ZMM220 platform runs an embedded Linux environment, updating the password typically requires establishing a connection to the device's command line or pushing a configuration script via the ZKAccess software SDK. Method 1: Changing the Password via Telnet Command Line zmm220 default telnet password updated
“You cannot access the biometric machine through telnet. The username and password is set by the manufacturer. They will use the telnet account credentials only for their internal development and testing purpose.”
In response to increasing cybersecurity threats, newer firmware versions for the ZMM220 have implemented several security improvements: Mandatory Password Changes:
By default, many ZMM220-based devices can be accessed via port 23 (Telnet). Researchers have identified several "classic" default credentials often used by manufacturers for internal testing or maintenance that remain active on production units: Common Usernames: Common Passwords: If you own a ZMM220, treat it like
One of the most critical vulnerabilities in these systems is the use of default telnet credentials
Security analysis has rated this vulnerability as:
root-level access allows malicious actors to download user databases, including employee PINs, card numbers, and biometric templates. Method 1: Changing the Password via Telnet Command
Place biometric and access control devices that is physically or logically separated from general office networks.
The ZMM220 still monitors temperature today, but securely. Its new password is 32 characters long, stored in a vault, and rotated every 90 days. Telnet is gone forever.
Wir erweitern ständig unsere Produktpalette, um mit den ständigen Änderungen der AV-Technologie Schritt zu halten. Einfachere Installation, verbesserte Haltbarkeit, bessere Ästhetik - Ihre Anforderungen bestimmen unseren Fertigungsprozess vom Konzept bis hin zur Produktion.
