Customer pointed to a CVE-2007-2768 being called out in a vulnerability scan report from their PAM environment. This CVE related article can be accessed via the link - https://nvd.nist.gov/vuln/detail/CVE-2007-2768
OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.
PAM 3.x and above
Clarification for mention of PAM in CVE-2007-2768
The CVE was created in 2007 which is 15 years old at the time of writing this KB. This CVE is precisely pointing to PAM using One Time Password which is not relevant to current Symantec PAM (Privileged Access Manager) design.
Additionally, this vulnerability in the vulnerability scan report is not directed to Symantec PAM but to some devices that are accessed through the PAM Client. Since the Vulnerability scan report mentioned PAM the customer's Security Team concluded this was a PAM vulnerability. In reality, the Security Team should engage the owners of the devices that were accessed by PAM. The report mentions OPIE for PAM but this abbreviation is for (One-Time Passwords in Everything for pluggable authentication module) not the Symantec PAM .
FYI only - Broadcom executes penetration testing on its released/certified version of PAM. The penetration test reports are not released to customers but are to ensure we have a secure product given the market we serve. Also we run the standard back-box scans and code scans looking for issues too.