CVE-2024-8956
Severity CVSS v4.0:
Pending analysis
Type:
CWE-306
Missing Authentication for Critical Function
Publication date:
17/09/2024
Last modified:
27/10/2025
Description
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
Impact
Base Score 3.x
9.10
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*:*:*:*:*:*:*:* | 6.3.40 (excluding) | |
| cpe:2.3:h:ptzoptics:pt30x-sdi:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*:*:*:*:*:*:*:* | 6.3.40 (excluding) | |
| cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://ptzoptics.com/firmware-changelog/
- https://vulncheck.com/advisories/ptzoptics-insufficient-auth
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956
- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai
- https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/