Vulnerability-Lookup

CVE-2024-8956 (GCVE-0-2024-8956)

Vulnerability from cvelistv5 – Published: 2024-09-17 19:59 – Updated: 2025-11-22 12:09 X_Known Exploited Vulnerability

CISA KEV

Title

PTZOptics NDI and SDI Cameras /cgi-bin/param.cgi Insufficient Authentication

Summary

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: active Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

VulnCheck

References

5 references

URL	Tags
https://ptzoptics.com/firmware-changelog/	vendor-advisory
https://vulncheck.com/advisories/ptzoptics-insuff…	third-party-advisory
https://www.labs.greynoise.io/grimoire/2024-10-31…	technical-descriptionthird-party-advisoryexploit
https://www.greynoise.io/blog/greynoise-intellige…	third-party-advisory
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource

Impacted products

4 products

Vendor	Product	Version
PTZOptics	PT30X-SDI	Affected: 0 , < 6.3.40 (semver)
PTZOptics	PT30X-NDI	Affected: 0 , < 6.3.40 (semver)
ptzoptics	pt30x-sdi_firmware	Affected: 0 , < 6.3.40 (custom) cpe:2.3:o:ptzoptics:pt30x-sdi_firmware::::::::
ptzoptics	pt30x-ndi-xx-g2_firmware	Affected: 0 , < 6.3.40 (custom) cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware::::::::

Credits

Konstantin Lazarev of GreyNoise

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: d5f6dcfc-46d4-41c0-8713-47182e61cb29

Vulnerability ID: CVE-2024-8956

Status: Confirmed

Status Updated: 2024-11-04 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2024-11-04

Asserted: 2024-11-04

Scope

Notes: KEV entry: PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability | Affected: PTZOptics / PT30X-SDI/NDI Cameras | Description: PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root. | Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. | Due date: 2024-11-25 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://ptzoptics.com/firmware-changelog/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-8956

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-287
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	PT30X-SDI/NDI Cameras
Due Date	2024-11-25
Date Added	2024-11-04
Vendorproject	PTZOptics
Vulnerabilityname	PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
Knownransomwarecampaignuse	Unknown

References

CVE-2024-8956

Created: 2026-02-02 12:26 UTC | Updated: 2026-02-06 07:17 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "pt30x-sdi_firmware",
            "vendor": "ptzoptics",
            "versions": [
              {
                "lessThan": "6.3.40",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "pt30x-ndi-xx-g2_firmware",
            "vendor": "ptzoptics",
            "versions": [
              {
                "lessThan": "6.3.40",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8956",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-08T15:54:06.883084Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2024-11-04",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:44.402Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "technical-description",
              "third-party-advisory",
              "exploit"
            ],
            "url": "https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/"
          },
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2024-11-04T00:00:00.000Z",
            "value": "CVE-2024-8956 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PT30X-SDI",
          "vendor": "PTZOptics",
          "versions": [
            {
              "lessThan": "6.3.40",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "PT30X-NDI",
          "vendor": "PTZOptics",
          "versions": [
            {
              "lessThan": "6.3.40",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:h:ptzoptics:pt30x-sdi:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.40",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.40",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Konstantin Lazarev of GreyNoise"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.\u003cbr\u003e"
            }
          ],
          "value": "PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-114",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-114 Authentication Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-22T12:09:58.681Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://ptzoptics.com/firmware-changelog/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vulncheck.com/advisories/ptzoptics-insufficient-auth"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "x_known-exploited-vulnerability"
      ],
      "title": "PTZOptics NDI and SDI Cameras /cgi-bin/param.cgi Insufficient Authentication",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2024-8956",
    "datePublished": "2024-09-17T19:59:27.205Z",
    "dateReserved": "2024-09-17T19:08:47.005Z",
    "dateUpdated": "2025-11-22T12:09:58.681Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2024-8956",
      "cwes": "[\"CWE-287\"]",
      "dateAdded": "2024-11-04",
      "dueDate": "2024-11-25",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://ptzoptics.com/firmware-changelog/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-8956",
      "product": "PT30X-SDI/NDI Cameras",
      "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.",
      "vendorProject": "PTZOptics",
      "vulnerabilityName": "PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability"
    },
    "epss": {
      "cve": "CVE-2024-8956",
      "date": "2026-06-01",
      "epss": "0.83611",
      "percentile": "0.99301"
    },
    "fkie_nvd": {
      "cisaActionDue": "2024-11-25",
      "cisaExploitAdd": "2024-11-04",
      "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
      "cisaVulnerabilityName": "PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability",
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"6.3.40\", \"matchCriteriaId\": \"604C6EEF-4273-4366-AFF2-86C3183F545D\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:ptzoptics:pt30x-sdi:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7462D89D-2105-417F-AB0E-D23C288156C8\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"6.3.40\", \"matchCriteriaId\": \"B410E242-DFEE-449D-9687-6F4D0BEB8F63\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C8F75E95-D59D-45D4-B798-D0493642F53E\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.\"}, {\"lang\": \"es\", \"value\": \"Las c\\u00e1maras PTZOptics PT30X-SDI/NDI-xx anteriores al firmware 6.3.40 son vulnerables a un problema de autenticaci\\u00f3n insuficiente. La c\\u00e1mara no aplica correctamente la autenticaci\\u00f3n en /cgi-bin/param.cgi cuando se env\\u00edan solicitudes sin un encabezado de autorizaci\\u00f3n HTTP. El resultado es que un atacante remoto y no autenticado puede filtrar datos confidenciales, como nombres de usuario, hashes de contrase\\u00f1as y detalles de configuraci\\u00f3n. Adem\\u00e1s, el atacante puede actualizar valores de configuraci\\u00f3n individuales o sobrescribir todo el archivo.\"}]",
      "id": "CVE-2024-8956",
      "lastModified": "2024-11-05T02:00:01.697",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"disclosure@vulncheck.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.2}]}",
      "published": "2024-09-17T20:15:07.287",
      "references": "[{\"url\": \"https://ptzoptics.com/firmware-changelog/\", \"source\": \"disclosure@vulncheck.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://vulncheck.com/advisories/ptzoptics-insufficient-auth\", \"source\": \"disclosure@vulncheck.com\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "disclosure@vulncheck.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"disclosure@vulncheck.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-8956\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2024-09-17T20:15:07.287\",\"lastModified\":\"2025-10-27T16:59:50.473\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.\"},{\"lang\":\"es\",\"value\":\"Las c\u00e1maras PTZOptics PT30X-SDI/NDI-xx anteriores al firmware 6.3.40 son vulnerables a un problema de autenticaci\u00f3n insuficiente. La c\u00e1mara no aplica correctamente la autenticaci\u00f3n en /cgi-bin/param.cgi cuando se env\u00edan solicitudes sin un encabezado de autorizaci\u00f3n HTTP. El resultado es que un atacante remoto y no autenticado puede filtrar datos confidenciales, como nombres de usuario, hashes de contrase\u00f1as y detalles de configuraci\u00f3n. Adem\u00e1s, el atacante puede actualizar valores de configuraci\u00f3n individuales o sobrescribir todo el archivo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"cisaExploitAdd\":\"2024-11-04\",\"cisaActionDue\":\"2024-11-25\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability\",\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.3.40\",\"matchCriteriaId\":\"604C6EEF-4273-4366-AFF2-86C3183F545D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ptzoptics:pt30x-sdi:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7462D89D-2105-417F-AB0E-D23C288156C8\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.3.40\",\"matchCriteriaId\":\"B410E242-DFEE-449D-9687-6F4D0BEB8F63\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C8F75E95-D59D-45D4-B798-D0493642F53E\"}]}]}],\"references\":[{\"url\":\"https://ptzoptics.com/firmware-changelog/\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://vulncheck.com/advisories/ptzoptics-insufficient-auth\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]},{\"url\":\"https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-8956\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-08T15:54:06.883084Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2024-11-04\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*:*:*:*:*:*:*:*\"], \"vendor\": \"ptzoptics\", \"product\": \"pt30x-sdi_firmware\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.3.40\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*:*:*:*:*:*:*:*\"], \"vendor\": \"ptzoptics\", \"product\": \"pt30x-ndi-xx-g2_firmware\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.3.40\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-11-04T00:00:00+00:00\", \"value\": \"CVE-2024-8956 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/\", \"tags\": [\"technical-description\", \"third-party-advisory\", \"exploit\"]}, {\"url\": \"https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-17T20:53:53.285Z\"}}], \"cna\": {\"tags\": [\"x_known-exploited-vulnerability\"], \"title\": \"PTZOptics NDI and SDI Cameras /cgi-bin/param.cgi Insufficient Authentication\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Konstantin Lazarev of GreyNoise\"}], \"impacts\": [{\"capecId\": \"CAPEC-114\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-114 Authentication Abuse\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"PTZOptics\", \"product\": \"PT30X-SDI\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.3.40\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"PTZOptics\", \"product\": \"PT30X-NDI\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.3.40\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://ptzoptics.com/firmware-changelog/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://vulncheck.com/advisories/ptzoptics-insufficient-auth\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306 Missing Authentication for Critical Function\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:h:ptzoptics:pt30x-sdi:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.3.40\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.3.40\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-11-22T12:09:58.681Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-8956\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-22T12:09:58.681Z\", \"dateReserved\": \"2024-09-17T19:08:47.005Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2024-09-17T19:59:27.205Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

BDU:2024-08975

Vulnerability from fstec - Published: 17.09.2024

Title

Уязвимость микропрограммного обеспечения веб-камер PTZOptics PT30X-SDI/NDI, связанная с неправильной аутентификацией, используемых в команде операционной системы, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость микропрограммного обеспечения веб-камер PTZOptics PT30X-SDI/NDI связана с неправильной аутентификацией. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код путём отправки специально сформированного запроса без заголовка авторизации HTTP CGI-скрипта /cgi-bin/param.cgi

Severity


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Vendor

PTZOptics

Software Name

PT30X-SDI, PT30X-NDI-xx-G2

Software Version

до 6.3.40 (PT30X-SDI), до 6.3.40 (PT30X-NDI-xx-G2)

Possible Mitigations

Установка обновлений из доверенных источников. В связи со сложившейся обстановкой и введенными санкциями против Российской Федерации рекомендуется устанавливать обновления программного обеспечения только после оценки всех сопутствующих рисков. Компенсирующие меры: - использование средств межсетевого экранирования для ограничения возможности удалённого доступа к уязвимым устройствам; - ограничение доступа к устройствам из внешних сетей (Интернет); - использование систем обнаружения и предотвращения вторжений с целью выявления и реагирования на попытки эксплуатации уязвимости; - использование виртуальных частных сетей для организации удаленного доступа (VPN). Использование рекомендаций: https://ptzoptics.com/firmware-changelog/

Reference

https://ptzoptics.com/firmware-changelog/ https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/ https://vulncheck.com/advisories/ptzoptics-command-injection https://www.fortinet.com/blog/threat-research/growing-threat-of-malware-concealed-behind-cloud-services https://www.cisa.gov/known-exploited-vulnerabilities-catalog

CWE

CWE-287

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "PTZOptics",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 6.3.40 (PT30X-SDI), \u0434\u043e 6.3.40 (PT30X-NDI-xx-G2)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0438\u0437 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432.\n\u0412 \u0441\u0432\u044f\u0437\u0438 \u0441\u043e \u0441\u043b\u043e\u0436\u0438\u0432\u0448\u0435\u0439\u0441\u044f \u043e\u0431\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u043e\u0439 \u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u043c\u0438 \u0441\u0430\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0442\u0438\u0432 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u0441\u043b\u0435 \u043e\u0446\u0435\u043d\u043a\u0438 \u0432\u0441\u0435\u0445 \u0441\u043e\u043f\u0443\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0440\u0438\u0441\u043a\u043e\u0432.\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0434\u043b\u044f \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u043c \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u043c;\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u043c \u0438\u0437 \u0432\u043d\u0435\u0448\u043d\u0438\u0445 \u0441\u0435\u0442\u0435\u0439 (\u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442);\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u0432\u0442\u043e\u0440\u0436\u0435\u043d\u0438\u0439 \u0441 \u0446\u0435\u043b\u044c\u044e \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f \u0438 \u0440\u0435\u0430\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043d\u0430 \u043f\u043e\u043f\u044b\u0442\u043a\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u0445 \u0447\u0430\u0441\u0442\u043d\u044b\u0445 \u0441\u0435\u0442\u0435\u0439 \u0434\u043b\u044f \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0438 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (VPN). \n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://ptzoptics.com/firmware-changelog/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "17.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "06.11.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "06.11.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-08975",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-8956",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "PT30X-SDI, PT30X-NDI-xx-G2",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0432\u0435\u0431-\u043a\u0430\u043c\u0435\u0440 PTZOptics PT30X-SDI/NDI, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0439 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0435\u0439, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0445 \u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u0435 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f (CWE-287)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0432\u0435\u0431-\u043a\u0430\u043c\u0435\u0440 PTZOptics PT30X-SDI/NDI \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0439 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0435\u0439. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0443\u0442\u0451\u043c \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0431\u0435\u0437 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 HTTP CGI-\u0441\u043a\u0440\u0438\u043f\u0442\u0430 /cgi-bin/param.cgi",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://ptzoptics.com/firmware-changelog/\nhttps://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/\nhttps://vulncheck.com/advisories/ptzoptics-command-injection\nhttps://www.fortinet.com/blog/threat-research/growing-threat-of-malware-concealed-behind-cloud-services\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u041e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-287",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,4)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,1)"
}

FKIE_CVE-2024-8956

Vulnerability from fkie_nvd - Published: 2024-09-17 20:15 - Updated: 2025-10-27 16:59

CISA KEV

Severity

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
disclosure@vulncheck.com	https://ptzoptics.com/firmware-changelog/	Release Notes
disclosure@vulncheck.com	https://vulncheck.com/advisories/ptzoptics-insufficient-auth	Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956	US Government Resource
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai	Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/	Exploit, Third Party Advisory

Impacted products

Vendor	Product	Version
ptzoptics	pt30x-sdi_firmware	*
ptzoptics	pt30x-sdi	-
ptzoptics	pt30x-ndi-xx-g2_firmware	*
ptzoptics	pt30x-ndi-xx-g2	-

JSON

To clipboard

{
  "cisaActionDue": "2024-11-25",
  "cisaExploitAdd": "2024-11-04",
  "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "604C6EEF-4273-4366-AFF2-86C3183F545D",
              "versionEndExcluding": "6.3.40",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ptzoptics:pt30x-sdi:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7462D89D-2105-417F-AB0E-D23C288156C8",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B410E242-DFEE-449D-9687-6F4D0BEB8F63",
              "versionEndExcluding": "6.3.40",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "C8F75E95-D59D-45D4-B798-D0493642F53E",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file."
    },
    {
      "lang": "es",
      "value": "Las c\u00e1maras PTZOptics PT30X-SDI/NDI-xx anteriores al firmware 6.3.40 son vulnerables a un problema de autenticaci\u00f3n insuficiente. La c\u00e1mara no aplica correctamente la autenticaci\u00f3n en /cgi-bin/param.cgi cuando se env\u00edan solicitudes sin un encabezado de autorizaci\u00f3n HTTP. El resultado es que un atacante remoto y no autenticado puede filtrar datos confidenciales, como nombres de usuario, hashes de contrase\u00f1as y detalles de configuraci\u00f3n. Adem\u00e1s, el atacante puede actualizar valores de configuraci\u00f3n individuales o sobrescribir todo el archivo."
    }
  ],
  "id": "CVE-2024-8956",
  "lastModified": "2025-10-27T16:59:50.473",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-09-17T20:15:07.287",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://ptzoptics.com/firmware-changelog/"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://vulncheck.com/advisories/ptzoptics-insufficient-auth"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-58RW-8PF6-2MGQ

Vulnerability from github – Published: 2024-09-17 21:30 – Updated: 2025-10-22 00:33

Details

Severity

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-8956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-17T20:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.",
  "id": "GHSA-58rw-8pf6-2mgq",
  "modified": "2025-10-22T00:33:06Z",
  "published": "2024-09-17T21:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8956"
    },
    {
      "type": "WEB",
      "url": "https://ptzoptics.com/firmware-changelog"
    },
    {
      "type": "WEB",
      "url": "https://vulncheck.com/advisories/ptzoptics-insufficient-auth"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956"
    },
    {
      "type": "WEB",
      "url": "https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai"
    },
    {
      "type": "WEB",
      "url": "https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

ICSA-25-162-10

Vulnerability from csaf_cisa - Published: 2025-06-12 06:00 - Updated: 2025-06-12 06:00

Summary

PTZOptics and Other Pan-Tilt-Zoom Cameras

Notes

Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation: Successful exploitation of these vulnerabilities could allow an attacker to leak sensitive data, execute arbitrary commands, and access the admin web interface using hard-coded credentials.

Critical infrastructure sectors: Commercial Facilities, Critical Manufacturing, Government Services and Facilities, Healthcare and Public Health

Countries/areas deployed: Worldwide

Company headquarters location: PTZOptics - United States; multiCAM Systems - United States; ValueHD - China; SMTAV - China

Recommended Practices: CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Recommended Practices: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Recommended Practices: Locate control system networks and remote devices behind firewalls and isolating them from business networks.

Recommended Practices: When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

Recommended Practices: CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices: CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices: CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Recommended Practices: Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Recommended Practices: Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Recommended Practices: No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

CVE-2024-8956

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-287 - Improper Authentication

Affected products

Known affected 4 products

Product	Version	Remediation
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTZOptics VL Fixed Camera/NDI Fixed Camera: <=7.2.94 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PTZOptics VL Fixed Camera/NDI Fixed Camera	<=7.2.94	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV SMTAV Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / SMTAV Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV multiCAM Systems Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / multiCAM Systems Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV ValueHD Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / ValueHD Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix

CVE-2024-8957

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Affected products

Known affected 4 products

Product	Version	Remediation
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTZOptics VL Fixed Camera/NDI Fixed Camera: <=7.2.94 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PTZOptics VL Fixed Camera/NDI Fixed Camera	<=7.2.94	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV SMTAV Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / SMTAV Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV multiCAM Systems Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / multiCAM Systems Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV ValueHD Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / ValueHD Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix

CVE-2025-35451

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-798 - Use of Hard-coded Credentials

Affected products

Known affected 17 products

Product	Version	Remediation
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-SDI-xx-G2: <=6.3.34 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT12X-SDI-xx-G2	<=6.3.34	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-NDI-xx: <=6.3.34 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT12X-NDI-xx	<=6.3.34	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-USB-xx-G2: <=6.2.81 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT12X-USB-xx-G2	<=6.2.81	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-SDI-xx-G2: <=6.3.20 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT20X-SDI-xx-G2	<=6.3.20	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-NDI-xx: <=6.3.20 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT20X-NDI-xx	<=6.3.20	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-USB-xx-G2: <=6.2.73 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT20X-USB-xx-G2	<=6.2.73	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-SDI-xx-G2: <=6.3.30 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT30X-SDI-xx-G2	<=6.3.30	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-NDI-xx: <=6.3.30 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT30X-NDI-xx	<=6.3.30	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-ZCAM: <=7.2.76 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT12X-ZCAM	<=7.2.76	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-ZCAM: <=7.2.82 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT20X-ZCAM	<=7.2.82	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTVL-ZCAM: <=7.2.79 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PTVL-ZCAM	<=7.2.79	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTEPTZ-ZCAM-G2: <=8.1.81 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PTEPTZ-ZCAM-G2	<=8.1.81	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTEPTZ-NDI-ZCAM-G2: <=8.1.81 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PTEPTZ-NDI-ZCAM-G2	<=8.1.81	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTZOptics VL Fixed Camera/NDI Fixed Camera: <=7.2.94 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PTZOptics VL Fixed Camera/NDI Fixed Camera	<=7.2.94	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV SMTAV Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / SMTAV Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV multiCAM Systems Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / multiCAM Systems Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV ValueHD Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / ValueHD Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix

CVE-2025-35452

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-798 - Use of Hard-coded Credentials

Affected products

Known affected 26 products

Product	Version	Remediation
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-SDI-xx-G2: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT12X-SDI-xx-G2	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-NDI-xx: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT12X-NDI-xx	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-USB-xx-G2: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT12X-USB-xx-G2	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-SDI-xx-G2: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT20X-SDI-xx-G2	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOpticsPT20X-NDI-xx: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOpticsPT20X-NDI-xx	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-USB-xx-G2: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT20X-USB-xx-G2	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-SDI-xx-G2: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT30X-SDI-xx-G2	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-NDI-xx: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT30X-NDI-xx	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-ZCAM: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT12X-ZCAM	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-ZCAM: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT20X-ZCAM	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTVL-ZCAM: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PTVL-ZCAM	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTEPTZ-ZCAM-G2: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PTEPTZ-ZCAM-G2	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-4K-xx-G3: <=0.0.58 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT12X-4K-xx-G3	<=0.0.58	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-4K-xx-G3: <=0.0.85 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT20X-4K-xx-G3	<=0.0.85	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-4K-xx-G3: <=2.0.64 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT30X-4K-xx-G3	<=2.0.64	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-LINK-4K-xx: <=0.0.63 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT12X-LINK-4K-xx	<=0.0.63	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-LINK-4K-xx: <=0.0.89 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT20X-LINK-4K-xx	<=0.0.89	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-LINK-4K-xx: <=2.0.71 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT30X-LINK-4K-xx	<=2.0.71	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-SE-xx-G3: <=9.1.43 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT12X-SE-xx-G3	<=9.1.43	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-SE-xx-G3: <=9.1.32 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT20X-SE-xx-G3	<=9.1.32	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-SE-xx-G3: <=9.1.33 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT30X-SE-xx-G3	<=9.1.33	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT-STUDIOPRO: <=9.0.41 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PT-STUDIOPRO	<=9.0.41	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTZOptics VL Fixed Camera/NDI Fixed Camera: <=7.2.94 ValueHD, PTZOptics, multiCAM Systems, SMTAV / PTZOptics PTZOptics VL Fixed Camera/NDI Fixed Camera	<=7.2.94	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV SMTAV Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / SMTAV Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV multiCAM Systems Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / multiCAM Systems Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix
ValueHD, PTZOptics, multiCAM Systems, SMTAV ValueHD Pan-Tilt-Zoom Cameras: vers:all/* ValueHD, PTZOptics, multiCAM Systems, SMTAV / ValueHD Pan-Tilt-Zoom Cameras	vers:all/*	Mitigation fix Mitigation Mitigation fix Mitigation fix Mitigation fix

References

20 references

URL	Category
https://raw.githubusercontent.com/cisagov/CSAF/de…	self
https://www.cisa.gov/news-events/ics-advisories/i…	self
https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-…	external
https://www.cisa.gov/resources-tools/resources/ic…	external
https://www.cisa.gov/sites/default/files/publicat…	external
https://www.cisa.gov/topics/industrial-control-systems	external
https://us-cert.cisa.gov/sites/default/files/reco…	external
https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B	external
https://www.cisa.gov/uscert/sites/default/files/p…	external
https://www.cisa.gov/uscert/ncas/tips/ST04-014	external
https://www.cve.org/CVERecord?id=CVE-2024-8956	external
https://www.first.org/cvss/calculator/3.1#CVSS:3.…	external
https://www.first.org/cvss/calculator/4.0#CVSS:4.…	external
https://www.cve.org/CVERecord?id=CVE-2024-8957	external
https://www.first.org/cvss/calculator/3.1#CVSS:3.…	external
https://www.first.org/cvss/calculator/4.0#CVSS:4.…	external
https://www.cve.org/CVERecord?id=CVE-2025-35451	external
https://www.first.org/cvss/calculator/3.1#CVSS:3.…	external
https://www.first.org/cvss/calculator/4.0#CVSS:4.…	external
https://www.cve.org/CVERecord?id=CVE-2025-35452	external

Acknowledgments

an anonymous researcher

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "an anonymous researcher"
        ],
        "summary": "reporting these vulnerabilities to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow an attacker to leak sensitive data, execute arbitrary commands, and access the admin web interface using hard-coded credentials. ",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Commercial Facilities, Critical Manufacturing, Government Services and Facilities, Healthcare and Public Health",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "PTZOptics - United States; multiCAM Systems - United States; ValueHD - China; SMTAV - China",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Locate control system networks and remote devices behind firewalls and isolating them from business networks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-25-162-10 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2025/icsa-25-162-10.json"
      },
      {
        "category": "self",
        "summary": "ICSA Advisory ICSA-25-162-10 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-10"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014"
      }
    ],
    "title": "PTZOptics and Other Pan-Tilt-Zoom Cameras",
    "tracking": {
      "current_release_date": "2025-06-12T06:00:00.000000Z",
      "generator": {
        "date": "2025-06-12T14:40:48.605025Z",
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-25-162-10",
      "initial_release_date": "2025-06-12T06:00:00.000000Z",
      "revision_history": [
        {
          "date": "2025-06-12T06:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Initial Publication"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=6.3.34",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-SDI-xx-G2: \u003c=6.3.34",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT12X-SDI-xx-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=6.3.34",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-NDI-xx: \u003c=6.3.34",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT12X-NDI-xx"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=6.2.81",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-USB-xx-G2: \u003c=6.2.81",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT12X-USB-xx-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=6.3.20",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-SDI-xx-G2: \u003c=6.3.20",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT20X-SDI-xx-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=6.3.20",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-NDI-xx: \u003c=6.3.20",
                  "product_id": "CSAFPID-0005"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT20X-NDI-xx"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=6.2.73",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-USB-xx-G2: \u003c=6.2.73",
                  "product_id": "CSAFPID-0006"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT20X-USB-xx-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=6.3.30",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-SDI-xx-G2: \u003c=6.3.30",
                  "product_id": "CSAFPID-0007"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT30X-SDI-xx-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=6.3.30",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-NDI-xx: \u003c=6.3.30",
                  "product_id": "CSAFPID-0008"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT30X-NDI-xx"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=7.2.76",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-ZCAM: \u003c=7.2.76",
                  "product_id": "CSAFPID-0009"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT12X-ZCAM"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=7.2.82",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-ZCAM: \u003c=7.2.82",
                  "product_id": "CSAFPID-0010"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT20X-ZCAM"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=7.2.79",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTVL-ZCAM: \u003c=7.2.79",
                  "product_id": "CSAFPID-0011"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PTVL-ZCAM"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=8.1.81",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTEPTZ-ZCAM-G2: \u003c=8.1.81",
                  "product_id": "CSAFPID-0012"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PTEPTZ-ZCAM-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=8.1.81",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTEPTZ-NDI-ZCAM-G2: \u003c=8.1.81",
                  "product_id": "CSAFPID-0013"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PTEPTZ-NDI-ZCAM-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-SDI-xx-G2: vers:all/*",
                  "product_id": "CSAFPID-0014"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT12X-SDI-xx-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-NDI-xx: vers:all/*",
                  "product_id": "CSAFPID-0015"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT12X-NDI-xx"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-USB-xx-G2: vers:all/*",
                  "product_id": "CSAFPID-0016"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT12X-USB-xx-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-SDI-xx-G2: vers:all/*",
                  "product_id": "CSAFPID-0017"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT20X-SDI-xx-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOpticsPT20X-NDI-xx: vers:all/*",
                  "product_id": "CSAFPID-0018"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOpticsPT20X-NDI-xx"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-USB-xx-G2: vers:all/*",
                  "product_id": "CSAFPID-0019"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT20X-USB-xx-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-SDI-xx-G2: vers:all/*",
                  "product_id": "CSAFPID-0020"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT30X-SDI-xx-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-NDI-xx: vers:all/*",
                  "product_id": "CSAFPID-0021"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT30X-NDI-xx"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-ZCAM: vers:all/*",
                  "product_id": "CSAFPID-0022"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT12X-ZCAM"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-ZCAM: vers:all/*",
                  "product_id": "CSAFPID-0023"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT20X-ZCAM"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTVL-ZCAM: vers:all/*",
                  "product_id": "CSAFPID-0024"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PTVL-ZCAM"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTEPTZ-ZCAM-G2: vers:all/*",
                  "product_id": "CSAFPID-0025"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PTEPTZ-ZCAM-G2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=0.0.58",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-4K-xx-G3: \u003c=0.0.58",
                  "product_id": "CSAFPID-0026"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT12X-4K-xx-G3"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=0.0.85",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-4K-xx-G3: \u003c=0.0.85",
                  "product_id": "CSAFPID-0027"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT20X-4K-xx-G3"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=2.0.64",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-4K-xx-G3: \u003c=2.0.64",
                  "product_id": "CSAFPID-0028"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT30X-4K-xx-G3"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=0.0.63",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-LINK-4K-xx: \u003c=0.0.63",
                  "product_id": "CSAFPID-0029"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT12X-LINK-4K-xx"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=0.0.89",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-LINK-4K-xx: \u003c=0.0.89",
                  "product_id": "CSAFPID-0030"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT20X-LINK-4K-xx"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=2.0.71",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-LINK-4K-xx: \u003c=2.0.71",
                  "product_id": "CSAFPID-0031"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT30X-LINK-4K-xx"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=9.1.43",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT12X-SE-xx-G3: \u003c=9.1.43",
                  "product_id": "CSAFPID-0032"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT12X-SE-xx-G3"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=9.1.32",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT20X-SE-xx-G3: \u003c=9.1.32",
                  "product_id": "CSAFPID-0033"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT20X-SE-xx-G3"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=9.1.33",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT30X-SE-xx-G3: \u003c=9.1.33",
                  "product_id": "CSAFPID-0034"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT30X-SE-xx-G3"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=9.0.41",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PT-STUDIOPRO: \u003c=9.0.41",
                  "product_id": "CSAFPID-0035"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PT-STUDIOPRO"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=7.2.94",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV PTZOptics PTZOptics VL Fixed Camera/NDI Fixed Camera: \u003c=7.2.94",
                  "product_id": "CSAFPID-0036"
                }
              }
            ],
            "category": "product_name",
            "name": "PTZOptics PTZOptics VL Fixed Camera/NDI Fixed Camera"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV SMTAV Pan-Tilt-Zoom Cameras: vers:all/*",
                  "product_id": "CSAFPID-0037"
                }
              }
            ],
            "category": "product_name",
            "name": "SMTAV Pan-Tilt-Zoom Cameras"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV multiCAM Systems Pan-Tilt-Zoom Cameras: vers:all/*",
                  "product_id": "CSAFPID-0038"
                }
              }
            ],
            "category": "product_name",
            "name": "multiCAM Systems Pan-Tilt-Zoom Cameras"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV ValueHD Pan-Tilt-Zoom Cameras: vers:all/*",
                  "product_id": "CSAFPID-0039"
                }
              }
            ],
            "category": "product_name",
            "name": "ValueHD Pan-Tilt-Zoom Cameras"
          }
        ],
        "category": "vendor",
        "name": "ValueHD, PTZOptics, multiCAM Systems, SMTAV"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-8956",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "notes": [
        {
          "category": "summary",
          "text": "PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0036",
          "CSAFPID-0037",
          "CSAFPID-0038",
          "CSAFPID-0039"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8956"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "PTZOptics has provided a fix to the affected versions for the listed CVEs. The fix for each product can be obtained on the PTZOptics Known Vulnerabilities and Fixes site.",
          "product_ids": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://ptzoptics.com/known-vulnerabilities-and-fixes/"
        },
        {
          "category": "mitigation",
          "details": "ValueHD, multiCAM Systems, and SMTAV did not respond to requests for coordination. Please contact the respective companies through the following means for more information:",
          "product_ids": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ]
        },
        {
          "category": "mitigation",
          "details": "SMTAV Contact Us page.",
          "product_ids": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://www.smtav.com/pages/about"
        },
        {
          "category": "mitigation",
          "details": "multiCAM Systems Contact Us page.",
          "product_ids": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://www.multicam-systems.com/contact/"
        },
        {
          "category": "mitigation",
          "details": "ValueHD Contact Us page.",
          "product_ids": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://global.vhd.com.cn/list-42.html"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2024-8957",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0036",
          "CSAFPID-0037",
          "CSAFPID-0038",
          "CSAFPID-0039"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8957"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "PTZOptics has provided a fix to the affected versions for the listed CVEs. The fix for each product can be obtained on the PTZOptics Known Vulnerabilities and Fixes site.",
          "product_ids": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://ptzoptics.com/known-vulnerabilities-and-fixes/"
        },
        {
          "category": "mitigation",
          "details": "ValueHD, multiCAM Systems, and SMTAV did not respond to requests for coordination. Please contact the respective companies through the following means for more information:",
          "product_ids": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ]
        },
        {
          "category": "mitigation",
          "details": "SMTAV Contact Us page.",
          "product_ids": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://www.smtav.com/pages/about"
        },
        {
          "category": "mitigation",
          "details": "multiCAM Systems Contact Us page.",
          "product_ids": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://www.multicam-systems.com/contact/"
        },
        {
          "category": "mitigation",
          "details": "ValueHD Contact Us page.",
          "product_ids": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://global.vhd.com.cn/list-42.html"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2025-35451",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Certain PTZOptics and possibly other ValueHD-based cameras have SSH or telnet or both enabled by default. Operating system users with administrative privileges (including the root user) have default passwords that are trivial to crack. The passwords cannot be changed by the user, nor can the SSH or telnet service be disabled by the user.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009",
          "CSAFPID-0010",
          "CSAFPID-0011",
          "CSAFPID-0012",
          "CSAFPID-0013",
          "CSAFPID-0036",
          "CSAFPID-0037",
          "CSAFPID-0038",
          "CSAFPID-0039"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-35451"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "PTZOptics has provided a fix to the affected versions for the listed CVEs. The fix for each product can be obtained on the PTZOptics Known Vulnerabilities and Fixes site.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009",
            "CSAFPID-0010",
            "CSAFPID-0011",
            "CSAFPID-0012",
            "CSAFPID-0013",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://ptzoptics.com/known-vulnerabilities-and-fixes/"
        },
        {
          "category": "mitigation",
          "details": "ValueHD, multiCAM Systems, and SMTAV did not respond to requests for coordination. Please contact the respective companies through the following means for more information:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009",
            "CSAFPID-0010",
            "CSAFPID-0011",
            "CSAFPID-0012",
            "CSAFPID-0013",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ]
        },
        {
          "category": "mitigation",
          "details": "SMTAV Contact Us page.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009",
            "CSAFPID-0010",
            "CSAFPID-0011",
            "CSAFPID-0012",
            "CSAFPID-0013",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://www.smtav.com/pages/about"
        },
        {
          "category": "mitigation",
          "details": "multiCAM Systems Contact Us page.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009",
            "CSAFPID-0010",
            "CSAFPID-0011",
            "CSAFPID-0012",
            "CSAFPID-0013",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://www.multicam-systems.com/contact/"
        },
        {
          "category": "mitigation",
          "details": "ValueHD Contact Us page.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009",
            "CSAFPID-0010",
            "CSAFPID-0011",
            "CSAFPID-0012",
            "CSAFPID-0013",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://global.vhd.com.cn/list-42.html"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009",
            "CSAFPID-0010",
            "CSAFPID-0011",
            "CSAFPID-0012",
            "CSAFPID-0013",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2025-35452",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "PTZOptics and possibly other ValueHD-based cameras use a default, shared password for the administrative web interface. The table below shows the affected firmware. This has been patched on production firmware for the current generation of devices.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0014",
          "CSAFPID-0015",
          "CSAFPID-0016",
          "CSAFPID-0017",
          "CSAFPID-0018",
          "CSAFPID-0019",
          "CSAFPID-0020",
          "CSAFPID-0021",
          "CSAFPID-0022",
          "CSAFPID-0023",
          "CSAFPID-0024",
          "CSAFPID-0025",
          "CSAFPID-0026",
          "CSAFPID-0027",
          "CSAFPID-0028",
          "CSAFPID-0029",
          "CSAFPID-0030",
          "CSAFPID-0031",
          "CSAFPID-0032",
          "CSAFPID-0033",
          "CSAFPID-0034",
          "CSAFPID-0035",
          "CSAFPID-0036",
          "CSAFPID-0037",
          "CSAFPID-0038",
          "CSAFPID-0039"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-35452"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "PTZOptics has provided a fix to the affected versions for the listed CVEs. The fix for each product can be obtained on the PTZOptics Known Vulnerabilities and Fixes site.",
          "product_ids": [
            "CSAFPID-0014",
            "CSAFPID-0015",
            "CSAFPID-0016",
            "CSAFPID-0017",
            "CSAFPID-0018",
            "CSAFPID-0019",
            "CSAFPID-0020",
            "CSAFPID-0021",
            "CSAFPID-0022",
            "CSAFPID-0023",
            "CSAFPID-0024",
            "CSAFPID-0025",
            "CSAFPID-0026",
            "CSAFPID-0027",
            "CSAFPID-0028",
            "CSAFPID-0029",
            "CSAFPID-0030",
            "CSAFPID-0031",
            "CSAFPID-0032",
            "CSAFPID-0033",
            "CSAFPID-0034",
            "CSAFPID-0035",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://ptzoptics.com/known-vulnerabilities-and-fixes/"
        },
        {
          "category": "mitigation",
          "details": "ValueHD, multiCAM Systems, and SMTAV did not respond to requests for coordination. Please contact the respective companies through the following means for more information:",
          "product_ids": [
            "CSAFPID-0014",
            "CSAFPID-0015",
            "CSAFPID-0016",
            "CSAFPID-0017",
            "CSAFPID-0018",
            "CSAFPID-0019",
            "CSAFPID-0020",
            "CSAFPID-0021",
            "CSAFPID-0022",
            "CSAFPID-0023",
            "CSAFPID-0024",
            "CSAFPID-0025",
            "CSAFPID-0026",
            "CSAFPID-0027",
            "CSAFPID-0028",
            "CSAFPID-0029",
            "CSAFPID-0030",
            "CSAFPID-0031",
            "CSAFPID-0032",
            "CSAFPID-0033",
            "CSAFPID-0034",
            "CSAFPID-0035",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ]
        },
        {
          "category": "mitigation",
          "details": "SMTAV Contact Us page.",
          "product_ids": [
            "CSAFPID-0014",
            "CSAFPID-0015",
            "CSAFPID-0016",
            "CSAFPID-0017",
            "CSAFPID-0018",
            "CSAFPID-0019",
            "CSAFPID-0020",
            "CSAFPID-0021",
            "CSAFPID-0022",
            "CSAFPID-0023",
            "CSAFPID-0024",
            "CSAFPID-0025",
            "CSAFPID-0026",
            "CSAFPID-0027",
            "CSAFPID-0028",
            "CSAFPID-0029",
            "CSAFPID-0030",
            "CSAFPID-0031",
            "CSAFPID-0032",
            "CSAFPID-0033",
            "CSAFPID-0034",
            "CSAFPID-0035",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://www.smtav.com/pages/about"
        },
        {
          "category": "mitigation",
          "details": "multiCAM Systems Contact Us page.",
          "product_ids": [
            "CSAFPID-0014",
            "CSAFPID-0015",
            "CSAFPID-0016",
            "CSAFPID-0017",
            "CSAFPID-0018",
            "CSAFPID-0019",
            "CSAFPID-0020",
            "CSAFPID-0021",
            "CSAFPID-0022",
            "CSAFPID-0023",
            "CSAFPID-0024",
            "CSAFPID-0025",
            "CSAFPID-0026",
            "CSAFPID-0027",
            "CSAFPID-0028",
            "CSAFPID-0029",
            "CSAFPID-0030",
            "CSAFPID-0031",
            "CSAFPID-0032",
            "CSAFPID-0033",
            "CSAFPID-0034",
            "CSAFPID-0035",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://www.multicam-systems.com/contact/"
        },
        {
          "category": "mitigation",
          "details": "ValueHD Contact Us page.",
          "product_ids": [
            "CSAFPID-0014",
            "CSAFPID-0015",
            "CSAFPID-0016",
            "CSAFPID-0017",
            "CSAFPID-0018",
            "CSAFPID-0019",
            "CSAFPID-0020",
            "CSAFPID-0021",
            "CSAFPID-0022",
            "CSAFPID-0023",
            "CSAFPID-0024",
            "CSAFPID-0025",
            "CSAFPID-0026",
            "CSAFPID-0027",
            "CSAFPID-0028",
            "CSAFPID-0029",
            "CSAFPID-0030",
            "CSAFPID-0031",
            "CSAFPID-0032",
            "CSAFPID-0033",
            "CSAFPID-0034",
            "CSAFPID-0035",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ],
          "url": "https://global.vhd.com.cn/list-42.html"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0014",
            "CSAFPID-0015",
            "CSAFPID-0016",
            "CSAFPID-0017",
            "CSAFPID-0018",
            "CSAFPID-0019",
            "CSAFPID-0020",
            "CSAFPID-0021",
            "CSAFPID-0022",
            "CSAFPID-0023",
            "CSAFPID-0024",
            "CSAFPID-0025",
            "CSAFPID-0026",
            "CSAFPID-0027",
            "CSAFPID-0028",
            "CSAFPID-0029",
            "CSAFPID-0030",
            "CSAFPID-0031",
            "CSAFPID-0032",
            "CSAFPID-0033",
            "CSAFPID-0034",
            "CSAFPID-0035",
            "CSAFPID-0036",
            "CSAFPID-0037",
            "CSAFPID-0038",
            "CSAFPID-0039"
          ]
        }
      ]
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-8956 (GCVE-0-2024-8956)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

BDU:2024-08975

FKIE_CVE-2024-8956

GHSA-58RW-8PF6-2MGQ

ICSA-25-162-10

Tags

Sightings

Nomenclature