CVE-2016-20034

HighPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 10.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-20034 is a high-severity CSRF (CWE-352) vulnerability in Wowza Streaming Engine. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent read-only users from elevating privileges via manipulated POST parameters to the user edit endpoint.

SI-10 Information Input Validation good match

prevent

Validates information inputs like accessLevel and advUser parameters to reject unauthorized attempts to set administrative privileges.

AC-6 Least Privilege good match

prevent

Employs least privilege to restrict read-only users from performing administrative actions such as privilege escalation.

NVD Description

Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser…

parameters set to 'true' and 'on' to gain administrative access.

Deeper analysisAI

CVE-2016-20034 is a privilege escalation vulnerability affecting Wowza Streaming Engine 4.5.0, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-352. The flaw allows authenticated read-only users to elevate their privileges to administrator by manipulating POST parameters sent to the user edit endpoint, specifically by setting accessLevel to 'admin' and advUser parameters to 'true' and 'on'.

An attacker with existing read-only authentication can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants full administrative access, enabling high-impact confidentiality, integrity, and availability violations, such as modifying server configurations, accessing sensitive data, or performing arbitrary administrative actions.

Advisories and proof-of-concept exploits detailing the vulnerability are available from sources including Zero Science Labs (http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php), Exploit-DB (https://www.exploit-db.com/exploits/40133), and Vulncheck (https://www.vulncheck.com/advisories/wowza-streaming-engine-privilege-escalation-via-user-edit).