CVE-2024-8956
CRITICALCISA KEVEPSS 99th pctlDescription
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Exploit Intelligence
Very high risk: more likely to be exploited than 99% of all known CVEs.
PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remediation due: 2024-11-25
References
- https://ptzoptics.com/firmware-changelog/
- https://vulncheck.com/advisories/ptzoptics-insufficient-auth
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956
- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai
- https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-10-27.