7.2
CVE-2024-8957
- EPSS 55.52%
- Veröffentlicht 17.09.2024 21:15:13
- Zuletzt bearbeitet 27.10.2025 16:59:44
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
LoginPTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ptzoptics ≫ Pt30x-sdi Firmware Version < 6.3.40
Ptzoptics ≫ Pt30x-ndi-xx-g2 Firmware Version < 6.3.40
04.11.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog
PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
SchwachstellePTZOptics PT30X-SDI/NDI cameras contain an OS command injection vulnerability that allows a remote, authenticated attacker to escalate privileges to root via a crafted payload with the ntp_addr parameter of the /cgi-bin/param.cgi CGI script.
BeschreibungApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 55.52% | 0.98 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| disclosure@vulncheck.com | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.