Undocumented Configuration Export Port Vulnerability in ZKTeco CCTV Cameras
CVE-2026-8598

9.1CRITICAL

Key Information:

Vendor: Zkteco
Status: Ssc335-gc2063-face-0b77 Solution Camera
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-8598?

Certain models of ZKTeco CCTV cameras contain an undocumented configuration export port that is exposed without any authentication requirements. This vulnerability allows unauthorized users to access sensitive information, including details about the available services and the camera account credentials. As a result, it raises significant security concerns about the safeguarding of footage and advanced site monitoring capabilities.

Affected Version(s)

SSC335-GC2063-Face-0b77 Solution Camera 0

SSC335-GC2063-Face-0b77 Solution Camera V5.0.1.2.20260421

References

https://www.zkteco.com/en/announcement/23

vendor-advisory

https://www.cisa.gov/news-events/ics-advisories/icsa-26-1...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 14, 2026

Credit

Souvik Kandar reported this vulnerability to CISA.

CVE-2026-8598 Data

JSON