CVE-2026-8598

CRITICAL

Unauthenticated Export Service in ZKTeco CCTV Cameras

Title source: cna

Description

An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials.

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory

https://www.zkteco.com/en/announcement/23

https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-04

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-04.json

View Writeup ZIP pw:eip

Scores

CVSS v3 9.1

EPSS 0.0008

EPSS Percentile 23.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-288

Status published

Products (2)

ZKTeco/SSC335-GC2063-Face-0b77 Solution Camera < V5.0.1.2.20260421

ZKTeco/SSC335-GC2063-Face-0b77 Solution Camera V5.0.1.2.20260421

Published May 20, 2026

Tracked Since May 20, 2026