Cyber Resilience

CVE-2016-20034

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0021 10.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2016-20034 is a high-severity CSRF (CWE-352) vulnerability in Wowza Streaming Engine. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2016-20034 is a privilege escalation vulnerability affecting Wowza Streaming Engine 4.5.0, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-352. The flaw allows authenticated read-only users to elevate their privileges to administrator by manipulating POST parameters sent to the user edit endpoint, specifically by setting accessLevel to 'admin' and advUser parameters to 'true' and 'on'.

An attacker with existing read-only authentication can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants full administrative access, enabling high-impact confidentiality, integrity, and availability violations, such as modifying server configurations, accessing sensitive data, or performing arbitrary administrative actions.

Advisories and proof-of-concept exploits detailing the vulnerability are available from sources including Zero Science Labs (http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php), Exploit-DB (https://www.exploit-db.com/exploits/40133), and Vulncheck (https://www.vulncheck.com/advisories/wowza-streaming-engine-privilege-escalation-via-user-edit).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser…

more

parameters set to 'true' and 'on' to gain administrative access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct privilege escalation from read-only to admin via parameter manipulation on authenticated endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2016-20033Same product: Wowza Streaming Engine
CVE-2024-13315Shared CWE-352
CVE-2025-27276Shared CWE-352
CVE-2025-23530Shared CWE-352
CVE-2025-55041Shared CWE-352
CVE-2025-23532Shared CWE-352
CVE-2026-30793Shared CWE-352
CVE-2025-27012Shared CWE-352
CVE-2025-26206Shared CWE-352
CVE-2025-25928Shared CWE-352

Affected Assets

wowza
streaming engine
4.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent read-only users from elevating privileges via manipulated POST parameters to the user edit endpoint.

prevent

Validates information inputs like accessLevel and advUser parameters to reject unauthorized attempts to set administrative privileges.

prevent

Employs least privilege to restrict read-only users from performing administrative actions such as privilege escalation.

References