CVE-2025-35452
Severity CVSS v4.0:
CRITICAL
Type:
CWE-798
Use of Hard-coded Credentials
Publication date:
05/09/2025
Last modified:
23/12/2025
Description
PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface.
Impact
Base Score 4.0
9.20
Severity 4.0
CRITICAL
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:ptzoptics:pt12x-sdi-xx-g2_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ptzoptics:pt12x-sdi-xx-g2:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ptzoptics:pt12x-ndi-xx_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ptzoptics:pt12x-ndi-xx:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ptzoptics:pt12x-usb-xx-g2_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ptzoptics:pt12x-usb-xx-g2:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ptzoptics:pt20x-sdi-xx-g2_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ptzoptics:pt20x-sdi-xx-g2:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ptzoptics:t20x-ndi-xx_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ptzoptics:t20x-ndi-xx:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ptzoptics:pt20x-usb-xx-g2_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ptzoptics:pt20x-usb-xx-g2:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ptzoptics:pt30x-sdi-xx-g2_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ptzoptics:pt30x-sdi-xx-g2:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ptzoptics:pt30x-ndi-xx_firmware:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-162-10.json
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-10
- https://www.cve.org/CVERecord?id=CVE-2025-35452
- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai
- https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/