ZKTeco CCTV Authentication Bypass Vulnerability

An authentication bypass vulnerability exists in ZKTeco CCTV cameras, specifically affecting the SSC335-GC2063-Face-0b77 Solution versions prior to V5.0.1.2.20260421. CVE-2026-8598 describes how an undocumented configuration export port is accessible without authentication, which exposes critical information, including camera account credentials and open services. Successful exploitation of this vulnerability allows unauthorized access to sensitive camera data. This vulnerability was reported to CISA by Souvik Kandar. ZKTeco released a patch in firmware version V5.0.1.2.20260421.

Attack Chain

1. Attacker identifies a vulnerable ZKTeco CCTV camera exposed on a network.
2. Attacker sends a request to the undocumented configuration export port.
3. The camera responds with a configuration file without requiring authentication.
4. Attacker parses the configuration file.
5. Attacker extracts sensitive information, including camera account credentials, from the configuration file.
6. Attacker uses the obtained credentials to access the camera’s management interface.
7. Attacker gains unauthorized access to live video feeds and camera settings.

Impact

Successful exploitation of CVE-2026-8598 can lead to unauthorized access to sensitive video and audio data. This may result in privacy violations, intellectual property theft, or facilitate further malicious activities, such as physical intrusions. The vulnerability affects ZKTeco CCTV cameras deployed worldwide, including in commercial facilities.

Recommendation

• Upgrade ZKTeco CCTV cameras to firmware version V5.0.1.2.20260421 or later to remediate CVE-2026-8598.
• Use the IOC URL https://www.zkteco.com/en/announcement/23 to monitor for updates and further information from ZKTeco.
• Enable network monitoring to detect suspicious connections to undocumented ports on ZKTeco cameras and deploy the Sigma rule to detect connections to common ports used by these devices.