Description
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to enumerate valid user accounts based on application responses.
Published: 2026-03-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: User enumeration
Action: Immediate Patch
AI Analysis

Impact

ZKTeco ZKBioSecurity 3.0 contains a vulnerability that allows an unauthenticated attacker to enumerate valid usernames by submitting partial username strings to the authLoginAction!login.do endpoint. The application returns distinguishable responses based on whether the supplied prefix matches an existing account, enabling enumeration of user identities. This user enumeration weakness can be leveraged to facilitate subsequent credential guessing or phishing attacks, compromising confidentiality and enabling targeted attacks. This vulnerability is an example of CWE‑551.

Affected Systems

Both ZKTeco Inc. and its ZKBioSecurity access control system are affected. The vulnerability exists in version 3.0 of ZKBioSecurity. No other versions were listed, so only this specific release is known to be impacted.

Risk and Exploitability

With a CVSS score of 9.3 the flaw is considered critical, yet the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not cataloged in the CISA KEV list. An attacker can exploit it remotely by sending HTTP requests over the network to the affected device, provided the authLoginAction!login.do endpoint is reachable. Due to the lack of authentication, any network participant could begin enumeration, which can be automated via scripts.

Generated by OpenCVE AI on March 21, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to the latest ZKBioSecurity firmware that eliminates the enumeration flaw.
  • If a patch is not currently available, restrict network access to the authentication endpoint by firewall rules or IP filtering, allowing only trusted management traffic.
  • Monitor authentication logs for repeated failed or partial username submissions and alert on suspicious activity.
  • Consider disabling or relocating the authentication service behind a VPN to reduce exposure.

Generated by OpenCVE AI on March 21, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zkteco
Zkteco zkbiosecurity
Vendors & Products Zkteco
Zkteco zkbiosecurity

Sun, 15 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to enumerate valid user accounts based on application responses.
Title ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction
Weaknesses CWE-551
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Zkteco Zkbiosecurity
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:20:20.095Z

Reserved: 2026-03-15T12:37:09.340Z

Link: CVE-2016-20030

cve-icon Vulnrichment

Updated: 2026-03-16T14:17:46.042Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:17:49.727

Modified: 2026-03-16T14:53:46.157

Link: CVE-2016-20030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:46Z

Weaknesses