Skip to main content

ZKTeco CCTV Cameras CVE-2026-8598

| EUVDEUVD-2026-31124 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-20 icscert GHSA-r827-rrrf-hq75
9.1
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (icscert) · only source for this CVE.

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 16:00 vuln.today

DescriptionCVE.org

An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials.

AnalysisAI

Information disclosure in ZKTeco SSC335-GC2063-Face-0B77 Solution Camera exposes credentials and service details through an undocumented configuration export port that requires no authentication. Remote unauthenticated attackers on the network can retrieve camera account credentials and enumerate open services, enabling full takeover of the device. No public exploit identified at time of analysis, but the CVSS 9.1 score and ICS-CERT advisory reflect significant operational risk to deployed surveillance infrastructure.

Technical ContextAI

The affected product is ZKTeco's SSC335-GC2063-Face-0B77 Solution Camera, an IP-based CCTV/face-recognition camera commonly deployed in physical access control and surveillance environments (CPE: cpe:2.3:a:zkteco:ssc335-gc2063-face-0b77_solution_camera). The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel): the firmware exposes a hidden, undocumented configuration-export TCP port that bypasses the camera's normal authentication path entirely, returning configuration data - including device account credentials and a list of running services - in cleartext to any network peer that connects.

RemediationAI

Patch status is not explicitly provided in the input data, so consult the vendor announcement at https://www.zkteco.com/en/announcement/23 and CISA ICSA-26-139-04 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-04) for the exact fixed firmware version - no vendor-released patch version was independently confirmed from the provided data. As compensating controls until a verified fix is deployed, place cameras on an isolated management VLAN and block all inbound access to the undocumented configuration-export TCP port at the network firewall (this stops remote disclosure with no functional impact on RTSP/ONVIF video streams), rotate all camera account credentials after any potential exposure, and disable internet exposure of the device entirely (trade-off: remote viewing requires a VPN or reverse proxy with authentication). Pair this with egress filtering to detect post-compromise outbound traffic from the camera subnet.

Share

CVE-2026-8598 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy