← Back to CVEs
CVE-2024-8956
CRITICALCISA KEV9.1
Description
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
CVE Details
CVSS v3.1 Score9.1
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published9/17/2024
Last Modified10/27/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorPTZOptics
ProductPT30X-SDI/NDI Cameras
Vulnerability NamePTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
KEV Date Added2024-11-04
Remediation Due Date2024-11-25
Ransomware UseUnknown
Affected Products
ptzoptics:pt30x-ndi-xx-g2ptzoptics:pt30x-ndi-xx-g2_firmwareptzoptics:pt30x-sdiptzoptics:pt30x-sdi_firmware
Weaknesses (CWE)
CWE-306CWE-287
References
https://ptzoptics.com/firmware-changelog/(disclosure@vulncheck.com)
https://vulncheck.com/advisories/ptzoptics-insufficient-auth(disclosure@vulncheck.com)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.