Back to KEVs

CVE-2024-8956

PTZOptics NDI and SDI Cameras /cgi-bin/param.cgi Insufficient Authentication

Basic Information

CVE State
PUBLISHED
Reserved Date
September 17, 2024
Published Date
September 17, 2024
Last Updated
November 04, 2024
Vendor
PTZOptics
Product
PT30X-SDI, PT30X-NDI
Description
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.

CVSS Scores

CVSS v3.1

9.1 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2024-11-04 00:00:00 UTC) Source

References

https://ptzoptics.com/firmware-changelog/ https://vulncheck.com/advisories/ptzoptics-insufficient-auth

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-11-04 00:00:00 UTC