CVE-2025-35451

CRITICAL

Ptzoptics Pt12x-sdi-xx-g2 Firmware < 6.3.34 - Hard-coded Credentials

Title source: rule

Description

PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use hard-coded, default administrative credentials. The passwords can readily be cracked. Many cameras have SSH or telnet listening on all interfaces. The passwords cannot be changed by the user, nor can the SSH or telnet service be disabled by the user.

References (5)

[Third Party Advisory] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-162-10.json

View Writeup ZIP pw:eip

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-10

[Third Party Advisory] https://www.cve.org/CVERecord?id=CVE-2025-35451

[Third Party Advisory] https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai

[Exploit, Third Party Advisory] https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/

Scores

CVSS v3 9.8

EPSS 0.0017

EPSS Percentile 37.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-798

Status published

Products (50)

multicam-systems/mcamii_ptz_firmware

ptzoptics/ndi_fixed_camera_firmware < 7.2.94

ptzoptics/pt12x-ndi-xx_firmware < 6.3.34

ptzoptics/pt12x-sdi-xx-g2_firmware < 6.3.34

ptzoptics/pt12x-usb-xx-g2_firmware < 6.2.81

ptzoptics/pt12x-zcam_firmware < 7.2.76

ptzoptics/pt20x-ndi-xx_firmware < 6.3.20

ptzoptics/pt20x-sdi-xx-g2_firmware < 6.3.20

ptzoptics/pt20x-usb-xx-g2_firmware < 6.2.73

ptzoptics/pt20x-zcam_firmware < 7.2.82

... and 40 more

Published Sep 05, 2025

Tracked Since Feb 18, 2026