← Retour aux CVEs
CVE-2024-8956
CRITICALCISA KEV9.1
Description
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
Details CVE
Score CVSS v3.19.1
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie9/17/2024
Derniere modification10/27/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurPTZOptics
ProduitPT30X-SDI/NDI Cameras
Nom vulnerabilitePTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
Date ajout KEV2024-11-04
Date limite remediation2024-11-25
Utilise dans ransomwareUnknown
Produits affectes
ptzoptics:pt30x-ndi-xx-g2ptzoptics:pt30x-ndi-xx-g2_firmwareptzoptics:pt30x-sdiptzoptics:pt30x-sdi_firmware
Faiblesses (CWE)
CWE-306CWE-287
References
https://ptzoptics.com/firmware-changelog/(disclosure@vulncheck.com)
https://vulncheck.com/advisories/ptzoptics-insufficient-auth(disclosure@vulncheck.com)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.