An unauthenticated user enumeration vulnerability in ZKTeco ZKBioSecurity 3.0 facilitates targeted brute-force attacks by allowing attackers to identify valid system accounts.

The application fails to mask differences in responses when partial characters are submitted to the username parameter in the login script. This allows an unauthenticated attacker to systematically discover valid usernames through the authLoginAction!login.do script.

While user enumeration is often seen as a precursor, the CVSS score of 9.8 indicates this vulnerability is part of a critical risk chain. Discovering valid usernames significantly reduces the complexity of brute-force or credential-stuffing attacks, leading to unauthorized access to security management systems. This could result in the compromise of physical security logs and access controls.

Immediate Action: Update ZKBioSecurity to the latest version or apply patches that normalize authentication responses to prevent account discovery.

Proactive Monitoring: Review authentication logs for high volumes of failed login attempts or systematic username variations originating from a single IP address.

Compensating Controls: Implement account lockout policies and multi-factor authentication (MFA) to mitigate the risk of attackers successfully using discovered usernames.

Public Exploit Available: No

Organizations using ZKTeco ZKBioSecurity 3.0 must update their installations immediately to prevent attackers from mapping out valid user accounts. Given the critical severity rating, this should be treated as a high-priority task to protect the integrity of the organization's security infrastructure.