An unauthenticated configuration export vulnerability in ZKTeco CCTV cameras allows attackers to extract sensitive system credentials and service information.

This is an information disclosure vulnerability. An undocumented, unauthenticated port on the device provides access to a configuration export feature, which transmits sensitive data, including credentials, in plaintext.

The exposure of administrative credentials enables full, unauthorized access to the camera system. This could be leveraged for surveillance, credential stuffing against other internal systems, or persistent network infiltration. The 9.1 CVSS score reflects the high risk of this data exposure.

Immediate Action: Apply the latest security firmware update from ZKTeco.

Proactive Monitoring: Scan internal networks for ZKTeco devices and monitor for unauthorized connections to known configuration or management ports.

Compensating Controls: Block access to the identified configuration port via local firewall rules and ensure the cameras are placed on a restricted, non-public network.

Public Exploit Available: false

Organizations should immediately update their ZKTeco camera firmware to disable the insecure configuration port. If updates are not immediately available, restrict network access to the devices to prevent unauthorized access.