Cyber Resilience

CVE-2016-20030

CriticalPublic PoCUpdated

Published: 16 March 2026

Published
16 March 2026
Modified
08 June 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0056 42.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2016-20030 is a critical-severity Incorrect Behavior Order: Authorization Before Parsing and Canonicalization (CWE-551) vulnerability in Ibmcloud (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-6 (Authentication Feedback) and SI-11 (Error Handling).

Deeper analysis

ZKTeco ZKBioSecurity 3.0 suffers from a user enumeration vulnerability, identified as CVE-2016-20030 and associated with CWE-551. This flaw enables unauthenticated attackers to identify valid usernames by submitting partial character strings through the username parameter in requests to the authLoginAction!login.do script. The application responds differently to valid versus invalid inputs, allowing attackers to systematically discover active user accounts. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network accessibility and lack of prerequisites.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting and sending multiple HTTP requests with incremental or partial username guesses to the login endpoint, attackers differentiate valid accounts based on response variations, such as timing, status codes, or error messages. Successful enumeration provides a list of legitimate usernames, which can facilitate subsequent attacks like targeted brute-force password guessing, credential stuffing, or social engineering.

Advisories from sources including IBM X-Force Exchange, Packet Storm Security, VulnCheck, and Zero Science (ZSL-2016-5366) document the issue and provide technical details on exploitation, though specific patch information or mitigation steps are referenced in those publications for further review by practitioners.

EU & UK References

Vulnerability details

ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to enumerate valid user…

more

accounts based on application responses.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
T1110.004 Credential Stuffing Credential Access
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap.
T1589.001 Credentials Reconnaissance
Adversaries may gather credentials that can be used during targeting.
Why these techniques?

User enumeration directly supports valid account discovery for subsequent brute-force guessing and credential stuffing attacks.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4636Shared CWE-551

Affected Assets

Ibmcloud
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-6 obscures authentication feedback and prevents disclosure of usernames during failed attempts, directly eliminating the differing responses that enable user enumeration via partial inputs.

prevent

SI-11 restricts error messages to minimal, non-revealing content, preventing the application from leaking information about valid usernames through response variations.

prevent

AC-7 enforces limits on unsuccessful logon attempts, rate-limiting enumeration requests to the authLoginAction!login.do endpoint and hindering systematic discovery of valid accounts.

References