Detections
Analytics

CVE-2016-20030

critical

Description

ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to enumerate valid user accounts based on application responses.

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5366.php

https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-user-enumeration-via-authloginaction

https://packetstormsecurity.com/files/138573

https://exchange.xforce.ibmcloud.com/vulnerabilities/116485

Details

Source: Mitre, NVD

Published: 2026-03-16

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: Critical

EPSS

EPSS: 0.00056