Back to KEVs

CVE-2024-8957

PTZOptics NDI and SDI Cameras Command Injection via NTP Address Configuration

Basic Information

CVE State
PUBLISHED
Reserved Date
September 17, 2024
Published Date
September 17, 2024
Last Updated
November 04, 2024
Vendor
PTZOptics
Product
PT30X-SDI, PT30X-NDI
Description
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.

CVSS Scores

CVSS v3.1

7.2 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2024-11-04 00:00:00 UTC) Source

References

https://ptzoptics.com/firmware-changelog/ https://vulncheck.com/advisories/ptzoptics-command-injection

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-11-04 00:00:00 UTC