{
"title": "CISA Warns ZKTeco CCTV CVE-2026-8598: Unauthenticated Config Export Exposes Credentials",
"content": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent Industrial Control Systems (ICS) advisory on May 19, 2026, for a critical vulnerability in ZKTeco CCTV cameras that permits unauthenticated attackers to remotely extract complete device configurations, including plain‑text passwords and network credentials. The flaw, indexed as CVE-2026-8598, carries a CVSS v4 score of 9.8 and affects all firmware versions of the SSC335-GC2063-Face-0b77 Solution prior to V5.0.1.2.20260421.

The discovery highlights a persistent gap in IoT security: a simple oversight—an unprotected HTTP endpoint—can gut an entire physical security infrastructure. With public proof‑of‑concept exploit code already circulating, the clock is ticking for organizations to patch or isolate vulnerable units.

What the Vulnerability Allows

The root cause is a configuration export function embedded in the camera’s web interface that fails to verify whether the requester is authenticated. By sending a crafted HTTP GET request to a specific path, an attacker can trigger the camera to package and return a tar.gz archive containing every system configuration file.

The advisory, ICSA‑26‑139‑01, confirms that the endpoint responds without any session token or basic‑auth header. Attackers need only network line‑of‑sight to the device—no prior access, no login, no interaction beyond a single request.

A typical exploit request resembles:

GET /cgi-bin/configexport.cgi HTTP/1.1 Host: [cameraip]

The server replies with an uncompressed or GZIP‑compressed archive stuffed with sensitive files. Among the most damaging are:

  • config.ini – administrator usernames and either hashed or cleartext passwords
  • network.cfg – static IP, subnet mask, gateway, DNS servers, and VLAN tags
  • wifi.cfg – SSID and pre‑shared key for wireless models
  • rtsp.cfg – streaming usernames and passwords
  • sip.cfg – VoIP account credentials if integrated with a phone system
  • ssl/ – private keys for any HTTPS certificate installed on the camera
Exposed passwords are often reusable. Many deployments reuse administrator credentials across multiple cameras, and sometimes across network switches and routers. What begins as a single‑camera compromise quickly escalates into a network‑wide breach.

Affected Hardware and Supply‑Chain Scope

The firmware, marketed as the “SSC335-GC2063-Face-0b77 Solution,” runs on SigmaStar SSC335 system‑on‑chips. SigmaStar is a Shanghai‑based fabless semiconductor company whose SoCs are popular among white‑box camera manufacturers due to their low cost and integrated face‑recognition accelerators. The SSC335 features a dual-core Cortex‑A7 CPU running at 1.2 GHz, a hardware face‑detection engine, and H.264/H.265 encoding. Typically, it boots a stripped‑down Linux 4.19 kernel with BusyBox, a lightweight httpd server (often GoAhead or thttpd), and custom CGI scripts that manage the device.

ZKTeco licenses the reference design and customizes the software stack, but several other original design manufacturers (ODMs) ship cameras built on the same hardware and a nearly identical codebase. CISA’s advisory explicitly names ZKTeco, but security researchers at IoT Inspector—who discovered the bug—have identified at least seven other brands that use the vulnerable firmware, often under different marketing names. Until each vendor issues its own advisory, asset owners are advised to treat any SSC335‑based camera as potentially affected and to check for the exposed endpoint manually.

How to Verify if a Device is Vulnerable

Organizations can quickly test their own cameras with a simple cURL command:

bash curl -v http://<cameraip>/cgi-bin/configexport.cgi --output configbackup.tar.gz

If the command returns a file with sensitive contents, the device is vulnerable. Many cameras also respond to the same path via POST. Network administrators should scan their camera subnets using tools like nmap with http‑useragent‑tester scripts, or leverage Shodan queries that search for the “Face‑0b77” tag in HTTP Server headers.

Disclosure Timeline and Patching

  • January 17, 2026 – IoT Inspector privately discloses the vulnerability to ZKTeco via their security contact.
  • February 13, 2026 – ZKTeco acknowledges the report and begins root‑cause analysis.
  • March 22, 2026 – A beta patch enters internal testing.
  • April 21, 2026 – Firmware version V5.0.1.2.20260421 is published on ZKTeco’s support portal. The update removes the unprotected endpoint and requires administrative authentication for any configuration operation.
  • May 19, 2026 – CISA publishes advisory ICSA‑26‑139‑01 after confirming the fix and noting that exploit code has appeared in public repositories.
The nearly three‑month gap between disclosure and patch is typical for embedded systems, where regression testing across a multitude of product SKUs can be labor‑intensive. However, the simultaneous appearance of public exploits on GitHub and Exploit‑DB removes any remaining shield. Organizations that have not already patched are now racing against automated scanning tools.

Real‑World Exploit Scenarios

Historical precedent demonstrates that IoT vulnerabilities with configuration exposure are not mere theoretical exercises. In 2021, a similar flaw in Verkada cameras allowed attackers to view live feeds from hospitals, schools, and even Tesla factories. Earlier, the Mirai botnet enslaved millions of IP cameras and routers by exploiting default credentials and unprotected remote‑access interfaces.

Beyond credential theft, an attacker with the full configuration can:

  • Hijack video streams – Replace the live feed with a static image while conducting physical intrusions.
  • Modify recording schedules – Disable motion‑triggered recording to cover tracks.
  • Inject malicious firmware – Using the stolen administrative password, upload a trojanized firmware image that installs a persistent backdoor.
  • Pivot to internal networks – Use captured Wi‑Fi keys or wired‑network details to connect to corporate VLANs directly.
In industrial environments, cameras often sit on flat networks alongside programmable logic controllers (PLCs) and human‑machine interfaces (HMIs). A compromised camera becomes a pivot point into operational technology (OT) systems, where even a few seconds of disruption can cause physical damage.

Voices from the Front Lines

“This is about as bad as it gets for a camera vulnerability,” said Dr. Elena Torres, principal researcher at IoT Inspector. “We threw our standard fuzzer at the firmware and the endpoint responded within seconds. There’s simply no authentication check at all—it’s a design flaw, not a coding error.”

“The real danger is the cascading effect,” added Marcus Byrne, CTO of CyberSafe OT. “Steal one config file and you might have the keys to an entire building’s security and IT network. We’ve seen attackers move from a cheap camera to a domain controller in under thirty minutes using nothing but harvested credentials.”

Immediate Mitigation Steps

CISA recommends a four‑phase approach for asset owners:

  1. Identify – Inventory all ZKTeco cameras and any OEM variants. Use network scanners to fingerprint the web interface. The vulnerable firmware often announces itself with a “Face‑0b77” tag in the HTTP Server header.
  2. Patch or Isolate – Apply firmware V5.0.1.2.20260421 immediately. If a patch is not available for your specific model, contact ZKTeco support. For devices that cannot be updated, move them to a dedicated, firewalled VLAN with no inbound internet access and restrict management to a jump host.
  3. Rotate Credentials – Change all passwords associated with camera accounts, especially if the same credentials are used elsewhere. Regenerate Wi‑Fi pre‑shared keys and update any RTSP‑dependent systems.
  4. Monitor – Deploy intrusion detection rules that alert on requests to configexport.cgi. CISA has published Snort signatures in the advisory appendix. Log all outbound traffic from camera subnets and investigate any unexpected transfers of large files.
Short‑term compensating controls include disabling the cameras’ web management interface entirely (if not required for operation) and using MAC address filtering on switches to prevent rogue device replacement.

The CISA Advisory as a Catalyst

ICSA‑26‑139‑01 exemplifies CISA’s evolving role under Executive Order 14028 and subsequent binding operational directives. The advisory not only broadcasts the vulnerability but also serves as a federal mandate for U.S. civilian agencies to patch within strict deadlines—typically 14 days for critical‑severity flaws added to the Known Exploited Vulnerabilities (KEV) catalog.