CVE-2024-8956
PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
YesDecision
Descriptions
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.
CVSS Scores
SSVC
- Decision:Act
Timeline
- 2024-09-17 CVE Reserved
- 2024-09-17 CVE Published
- 2024-11-04 CVE Updated
- 2024-11-04 Exploited in Wild
- 2024-11-19 EPSS Updated
- 2024-11-25 KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
CAPEC
- CAPEC-114: Authentication Abuse
References (2)
URL | Tag | Source |
---|---|---|
https://vulncheck.com/advisories/ptzoptics-insufficient-auth | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://ptzoptics.com/firmware-changelog | 2024-09-17 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
PTZOptics Search vendor "PTZOptics" | PT30X-SDI Search vendor "PTZOptics" for product "PT30X-SDI" | < 6.3.40 Search vendor "PTZOptics" for product "PT30X-SDI" and version " < 6.3.40" | en |
Affected
| ||||||
PTZOptics Search vendor "PTZOptics" | PT30X-NDI Search vendor "PTZOptics" for product "PT30X-NDI" | < 6.3.40 Search vendor "PTZOptics" for product "PT30X-NDI" and version " < 6.3.40" | en |
Affected
|