Critical ZKTeco CCTV Flaw (CVE-2026-8598) Leaks Admin Credentials Without Authentication

A newly disclosed, critical vulnerability in ZKTeco CCTV cameras is serving as a reminder that the devices we install to watch our perimeters can sometimes be the very doors attackers use to walk right in.

Tracked as CVE-2026-8598 and carrying a severe CVSS base score of 9.1, this flaw essentially leaves the digital keys to the camera out in the open. Here is a breakdown of what this vulnerability is, why it matters, and how to fix it—whether you are making high-level risk decisions or actively deploying patches on the network floor.

At the heart of this vulnerability is an undocumented configuration export port left active on certain ZKTeco cameras, specifically affecting the SSC335-GC2063-Face-0b77 model versions.

In simple terms, this network port was designed to export the camera’s configuration data, but it completely lacks any authentication requirements. Anyone who can reach the camera over the network can connect to this port. When queried, the camera freely hands over highly sensitive system information without ever asking for a username or password.

The leaked data includes a detailed map of open services running on the device and, most critically, the camera’s administrative account credentials.

An attacker can quietly harvest login credentials with a single, unauthenticated network request. Once they have those credentials, they effectively own the device. They can view live surveillance feeds, manipulate the device settings, or hijack the camera’s computing power.

A 9.1 severity vulnerability that requires zero user interaction means attackers can use automated scripts to compromise these cameras at scale. If these CCTV devices are not properly isolated and sit on the same network segments as your core business servers, a compromised camera can quickly be weaponized as a persistent foothold for lateral movement into the wider corporate network.

Fortunately, ZKTeco has acknowledged the severity of the flaw and issued an official patch. If your organization utilizes ZKTeco CCTV infrastructure, action should be taken immediately.

• Apply the Patch: Upgrade the firmware of all affected cameras to version V5.0.1.2.20260421 (or any later release) at your earliest opportunity. This update successfully closes the undocumented port.
• Enforce Network Segmentation: As a standard defensive practice, ensure your physical security and IoT devices are strictly segmented from your primary production and corporate networks. CCTV cameras should never be directly exposed to the public internet.

For further technical specifications and official manufacturer guidance, you can review the complete ZKTeco security advisory here.