CVE-2026-8598

Unauthenticated Export Service in ZKTeco CCTV Cameras

CVSS 9.1 CRITICALEPSS 0.5%CWE-288

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.1EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

20 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

ZKTeco · SSC335-GC2063-Face-0b77 Solution Camera

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-04.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-04 https://www.zkteco.com/en/announcement/23