← back
CVE-2026-8598

Unauthenticated Export Service in ZKTeco CCTV Cameras

CVSS 9.1 CRITICALEPSS 0.5%CWE-288
An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products
ZKTeco · SSC335-GC2063-Face-0b77 Solution Camera

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-04.jsonhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-139-04https://www.zkteco.com/en/announcement/23