CVE-2024-8956
CRITICAL KEVPTZOptics PT30X-SDI/NDI-xx < 6.3.40 - Unauthenticated Sensitive Data Exposure and Configuration Modification
Title source: llmExploitation Summary
CVE-2024-8956 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 4, 2024.
Description
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
References (5)
Core 5
Core References
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956
Third Party Advisory
https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai
Exploit, Third Party Advisory
https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/
Release Notes vendor-advisory
https://ptzoptics.com/firmware-changelog/
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/ptzoptics-insufficient-auth
Scores
CVSS v3
9.1
EPSS
0.8361
EPSS Percentile
99.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
yes
Technical Impact
total
Details
CISA KEV
2024-11-04
VulnCheck KEV
2024-09-17
InTheWild.io
2024-11-04
ENISA EUVD
EUVD-2024-49505
CWE
CWE-287
CWE-306
Status
published
Products (2)
ptzoptics/pt30x-ndi-xx-g2_firmware
< 6.3.40
ptzoptics/pt30x-sdi_firmware
< 6.3.40
Published
Sep 17, 2024
KEV Added
Nov 04, 2024
Tracked Since
Feb 18, 2026