CVE-2024-8957
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
17/09/2024
Last modified:
27/10/2025
Description
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.
Impact
Base Score 3.x
7.20
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*:*:*:*:*:*:*:* | 6.3.40 (excluding) | |
| cpe:2.3:h:ptzoptics:pt30x-sdi:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*:*:*:*:*:*:*:* | 6.3.40 (excluding) | |
| cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://ptzoptics.com/firmware-changelog/
- https://vulncheck.com/advisories/ptzoptics-command-injection
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8957
- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai
- https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/