Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (icscert) · only source for this CVE.
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials.
AnalysisAI
Information disclosure in ZKTeco SSC335-GC2063-Face-0B77 Solution Camera exposes credentials and service details through an undocumented configuration export port that requires no authentication. Remote unauthenticated attackers on the network can retrieve camera account credentials and enumerate open services, enabling full takeover of the device. No public exploit identified at time of analysis, but the CVSS 9.1 score and ICS-CERT advisory reflect significant operational risk to deployed surveillance infrastructure.
Technical ContextAI
The affected product is ZKTeco's SSC335-GC2063-Face-0B77 Solution Camera, an IP-based CCTV/face-recognition camera commonly deployed in physical access control and surveillance environments (CPE: cpe:2.3:a:zkteco:ssc335-gc2063-face-0b77_solution_camera). The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel): the firmware exposes a hidden, undocumented configuration-export TCP port that bypasses the camera's normal authentication path entirely, returning configuration data - including device account credentials and a list of running services - in cleartext to any network peer that connects.
RemediationAI
Patch status is not explicitly provided in the input data, so consult the vendor announcement at https://www.zkteco.com/en/announcement/23 and CISA ICSA-26-139-04 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-04) for the exact fixed firmware version - no vendor-released patch version was independently confirmed from the provided data. As compensating controls until a verified fix is deployed, place cameras on an isolated management VLAN and block all inbound access to the undocumented configuration-export TCP port at the network firewall (this stops remote disclosure with no functional impact on RTSP/ONVIF video streams), rotate all camera account credentials after any potential exposure, and disable internet exposure of the device entirely (trade-off: remote viewing requires a VPN or reverse proxy with authentication). Pair this with egress filtering to detect post-compromise outbound traffic from the camera subnet.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31124
GHSA-r827-rrrf-hq75