CVE-2026-8598 | THREATINT

Description

An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials.

PUBLISHED Reserved 2026-05-14 | Published 2026-05-20 | Updated 2026-05-20 | Assigner icscert

CRITICAL: 9.1CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-288

Product status

Default status

unaffected

Any version before V5.0.1.2.20260421

affected

V5.0.1.2.20260421

unaffected

Credits

Souvik Kandar reported this vulnerability to CISA. finder

References

www.zkteco.com/en/announcement/23 vendor-advisory

www.cisa.gov/news-events/ics-advisories/icsa-26-139-04

github.com/...p/csaf_files/OT/white/2026/icsa-26-139-04.json

cve.org (CVE-2026-8598)

nvd.nist.gov (CVE-2026-8598)

Download JSON