CVE-2016-20034

HIGH

Wowza Streaming Engine 4.5.0 Privilege Escalation via user edit

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20034. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a privilege escalation vulnerability in Wowza Streaming Engine 4.5.0 by sending a crafted POST request to elevate a read-only user to admin or advanced admin rights via manipulated parameters.

Description

Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative access.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · htmlwebappsmultiple

https://www.exploit-db.com/exploits/40133

View Code ZIP pw:eip

This exploit demonstrates a privilege escalation vulnerability in Wowza Streaming Engine 4.5.0 by sending a crafted POST request to elevate a read-only user to admin or advanced admin rights via manipulated parameters.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Wowza Streaming Engine 4.5.0 (build 18676)

Auth required

Prerequisites: Valid read-only user credentials

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Mar 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-40133

https://www.exploit-db.com/exploits/40133

Vendor Advisory vendor-advisory

Vulnerability Advisory

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php

Third Party Advisory third-party-advisory

VulnCheck Advisory: Wowza Streaming Engine 4.5.0 Privilege Escalation via user edit

https://www.vulncheck.com/advisories/wowza-streaming-engine-privilege-escalation-via-user-edit

Scores

CVSS v3 8.8

EPSS 0.0004

EPSS Percentile 12.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Products (2)

wowza/streaming_engine 4.5.0

Wowza Media Systems, LLC./Wowza Streaming Engine 4.5.0

Published Mar 16, 2026

Tracked Since Mar 16, 2026