PatchSiren cyber security CVE debrief
CVE-2016-20030 ZKTeco Inc. CVE debrief
CVE-2016-20030 is a critical user enumeration vulnerability in ZKTeco ZKBioSecurity 3.0. Unauthenticated attackers can discover valid usernames by submitting partial characters via the username parameter to the authLoginAction!login.do script.
- Vendor
- ZKTeco Inc.
- Product
- ZKTeco ZKBioSecurity
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-16
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-03-16
- Advisory updated
- 2026-06-08
Who should care
Security teams and administrators responsible for ZKTeco ZKBioSecurity 3.0 systems should prioritize patching this vulnerability to prevent potential attacks.
Technical summary
The vulnerability has a CVSS score of 9.3 and is classified as CRITICAL. It allows attackers to send requests to the authLoginAction!login.do script with varying username inputs to enumerate valid user accounts based on application responses.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the user enumeration vulnerability.
- Implement additional security measures, such as rate limiting and IP blocking, to prevent exploitation attempts.
- Monitor system logs for suspicious activity related to the authLoginAction!login.do script.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found at [ref-4], [ref-5], [ref-6], and [ref-7].
Official resources
CVE-2016-20030 was published on [cvePublishedAt] and modified on [cveModifiedAt].