It is. ZKTeco prioritizes ease of installation for technicians over security. It is assumed that the installing IT team will change it. Unfortunately, many don't.

Do not forward Port 80 or 443 from your router to the ZKTeco device. If you need remote access, use a VPN (Virtual Private Network). If you see your device on Shodan.io, you are already in danger.

Enter the device’s IP address in a web browser (e.g., http://192.168.1.201 ). Make sure your computer is on the same local network.

Default credentials are the pre-configured login details that come with a device or software. In the case of ZKTeco Web 3.0, the default credentials are used to access the system for the first time. These credentials are usually set by the manufacturer and are meant to be changed by the administrator during the initial setup.

Some specialized setups (like Gateway configurations) may require specific ports, such as :44444 . Security Considerations Configuration Manual - zkteco.me

When these devices are deployed on a network without updating the administrative credentials, they become low-hanging fruit for unauthorized access. A breach at the web interface level could allow an attacker to: