CVE-2024-8956

Warnung

Exploit

EPSS 83.61%
Veröffentlicht 17.09.2024 20:15:07
Zuletzt bearbeitet 27.10.2025 16:59:50
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 2 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ptzoptics ≫ Pt30x-sdi Firmware Version < 6.3.40

Ptzoptics ≫ Pt30x-sdi Version-

Ptzoptics ≫ Pt30x-ndi-xx-g2 Firmware Version < 6.3.40

Ptzoptics ≫ Pt30x-ndi-xx-g2 Version-

04.11.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability

Schwachstelle

PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	83.61%	0.993

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
disclosure@vulncheck.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://ptzoptics.com/firmware-changelog/

Release Notes

https://vulncheck.com/advisories/ptzoptics-insufficient-auth

Third Party Advisory

https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai

Third Party Advisory

https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/

Third Party Advisory

Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2024-8956