ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value 123456. Users should change their passwords (located under the Attendance Settings tab as Self-Password).
The product uses default passwords for potentially critical functionality.