Critical Authentication Bypass in ZKTeco CCTV Cameras (CVE‑2026‑8598) Exposes Credentials
What It Is – A newly disclosed authentication‑bypass flaw (CVE‑2026‑8598) in select ZKTeco CCTV camera models allows an unauthenticated attacker to query an undocumented configuration‑export port. The port returns service listings and clear‑text camera account credentials.
Exploitability – The vulnerability is publicly known, has a CVSS v3.1 score of 9.1 (Critical), and proof‑of‑concept exploitation has been demonstrated by CISA. No known active ransomware or malware campaigns are leveraging it yet, but the low barrier to exploitation makes rapid weaponisation likely.
Affected Products – ZKTeco SSC335‑GC2063‑Face‑0b77 Solution cameras (firmware V5.0.1.2.20260421 and earlier).
TPRM Impact – Organizations that rely on ZKTeco cameras for physical security—especially commercial facilities, retail sites, and third‑party integrators—face credential leakage that can be chained to network pivoting or surveillance sabotage, creating a supply‑chain foothold.
Recommended Actions –
- Verify inventory of ZKTeco CCTV devices and firmware versions.
- Upgrade all affected units to firmware V5.0.1.2.20260421 or later immediately.
- Disable or firewall the undocumented export port if firmware upgrade is delayed.
- Rotate all camera account passwords and audit for any anomalous access.
- Incorporate the camera vendor into your third‑party risk monitoring program and require proof of remediation.
Source: CISA Advisory – ICSA‑26‑139‑04