CISA Warns of Critical Authentication Bypass in ZKTeco CCTV Cameras
A critical authentication bypass vulnerability, CVE-2026-8598, has been disclosed in ZKTeco CCTV cameras, exposing account credentials and service information without authentication.
CISA released an advisory on May 19, 2026, detailing a critical vulnerability in ZKTeco CCTV cameras. The flaw, tracked as CVE-2026-8598, resides in the SSC335-GC2063-Face-0b77 solution running firmware versions before V5.0.1.2.20260421. An undocumented configuration export port is accessible over the network and requires no authentication, allowing any remote attacker to download camera account credentials and a list of open services. The vulnerability carries a CVSS score of 9.1, making it critical in severity.
The technical mechanism exploits CWE-288, an authentication bypass using an alternate path or channel. The undocumented port was likely left open during development and never removed from production firmware. This oversight means that an attacker who can reach the camera over the network can retrieve sensitive configuration data including usernames and passwords for the device itself, potentially gaining full administrative control over the camera feed and settings.
ZKTeco's CCTV cameras are deployed worldwide across commercial facilities, including retail stores, office buildings, warehouses, and other critical infrastructure sectors. The wide geographic distribution and the sensitive nature of video surveillance data make this vulnerability particularly concerning. If exploited, an attacker could use captured credentials to pivot deeper into a victim's network, or simply monitor private camera feeds.
ZKTeco has released a patched firmware version V5.0.1.2.20260421 that removes the undocumented port. The company recommends all users upgrade immediately. A security advisory is available at their announcement page. CISA also strongly urges organizations to minimize network exposure of control system devices and to ensure CCTV cameras are not directly accessible from the internet. When remote access is required, use VPNs and other secure methods.
No known public exploitation of CVE-2026-8598 has been reported to CISA as of the advisory's publication. However, the ease of exploitation — requiring only network access with no authentication — means that proof-of-concept code or automated scanning for vulnerable devices is likely to emerge quickly. Security teams should prioritize patching all affected ZKTeco cameras, especially those exposed to untrusted networks.
This vulnerability adds to a growing list of critical flaws in surveillance and IoT devices where undocumented debug or configuration interfaces have been left exposed in production firmware. The researcher Souvik Kandar is credited with responsibly reporting the flaw to CISA. As always, organizations are advised to follow CISA's recommended practices for securing industrial control systems and to monitor for any signs of malicious activity targeting these devices.