CVE-2024-8956

CRITICAL KEV

Ptzoptics Pt30x-sdi Firmware < 6.3.40 - Missing Authentication

Title source: rule

Description

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.

References (5)

[Release Notes] https://ptzoptics.com/firmware-changelog/

[Third Party Advisory] https://vulncheck.com/advisories/ptzoptics-insufficient-auth

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956

[Third Party Advisory] https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai

[Exploit, Third Party Advisory] https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/

Scores

CVSS v3 9.1

EPSS 0.8361

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CISA KEV 2024-11-04

VulnCheck KEV 2024-09-17

InTheWild.io 2024-11-04

ENISA EUVD EUVD-2024-49505

CWE

CWE-287 CWE-306

Status published

Products (2)

ptzoptics/pt30x-ndi-xx-g2_firmware < 6.3.40

ptzoptics/pt30x-sdi_firmware < 6.3.40

Published Sep 17, 2024

KEV Added Nov 04, 2024

Tracked Since Feb 18, 2026