CVE-2024-8956
published 2024-09-17CVE-2024-8956: PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to…
PriorityP192critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-11-25
Exploited in the wild
EPSS
60.88%
99.0th percentile
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ptzoptics | pt30x-ndi | < 6.3.40 | 6.3.40 |
| ptzoptics | pt30x-ndi-xx-g2_firmware | < 6.3.40 | 6.3.40 |
| ptzoptics | pt30x-sdi | < 6.3.40 | 6.3.40 |
| ptzoptics | pt30x-sdi_firmware | < 6.3.40 | 6.3.40 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PTZOptics PT30X Successful Authentication Bypass (CVE-2024-8956)"; flow:established,to_client; flowbits:isset,ET.2024.8956; http.response_body; bsize:33; content:"|7b 22|Response|22 3a 7b 22|Result|22 3a 22|Success|22 7d 7d|"; fast_pattern; reference:cve,2024-8956; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-8956; reference:url,labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce; classtype:successful-admin; sid:2057227; rev:2; metadata:affected_product IP_Camera, created_at 2024_11_04, cve CVE_2024_8956, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes↗
|7b 22|Response|22 3a 7b 22|Result|22 3a 22|Success|22 7d 7d|
- →Detect unauthenticated HTTP requests to /cgi-bin/param.cgi that lack an HTTP Authorization header — this is the core exploitation vector for CVE-2024-8956. ↗
- →Successful exploitation returns a 33-byte JSON response body matching {"Response":{"Result":"Success"}} (hex: 7b 22 52 65 73 70 6f 6e 73 65 22 3a 7b 22 52 65 73 75 6c 74 22 3a 22 53 75 63 63 65 73 73 22 7d 7d). Use the Snort/ET rule sid:2057227 with flowbit ET.2024.8956 to detect successful auth bypass responses. ↗
- →CVE-2024-8956 is chained with CVE-2024-8957 (OS command injection via the ntp_addr field). Monitor for writes to the ntp_addr configuration parameter via /cgi-bin/param.cgi, especially values containing shell metacharacters. ↗
- →The vulnerability is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application), Initial Access tactic (TA0001). Correlate perimeter HTTP logs for requests to /cgi-bin/param.cgi without Authorization headers from external IPs. ↗
- →Leaked data from exploitation includes MD5 password hashes. Monitor for exfiltration of credential data (usernames, MD5 hashes) from camera management interfaces. ↗
- ·Affected firmware versions are VHD PTZ camera firmware < 6.3.40. Models PT20X-NDI-G2 and PT12X-NDI-G2 reached end-of-life and did not receive patches. PT20X-SE-NDI-G3 and PT30X-SE-NDI-G3 were also found vulnerable but had not received patches as of the reporting date. ↗
- ·The Snort/ET rule (sid:2057227) detects the successful server response (to_client, bsize:33) rather than the inbound exploit request, and requires SSL decryption for HTTPS-protected camera interfaces. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
PTZOptics and Other Pan-Tilt-Zoom Cameras
cisa_ics·2025-06-12·CVSS 9.8
[CRITICAL] PTZOptics and Other Pan-Tilt-Zoom Cameras
ICS Advisory
##
PTZOptics and Other Pan-Tilt-Zoom Cameras
Release DateJune 12, 2025
Alert CodeICSA-25-162-10
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ValueHD, PTZOptics, multiCAM Systems, SMTAV
- Equipment: Various pan-tilt-zoom cameras
- Vulnerabilities: Improper Authentication, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Use of Hard-coded Credentials
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to leak sensitive data, execute arbitrary commands, and access the admin web interface using hard-coded cr
CISA
PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
cisa·2024-11-04·CVSS 9.1
CVE-2024-8956 [CRITICAL] CWE-287 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
Vulnerability: PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
Affected: PTZOptics PT30X-SDI/NDI Cameras
PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://ptzoptics.com/firmware-changelog/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-8956
Remediation Due Date: 2024-11-25
GHSA
GHSA-9cx9-7v8g-h36v: PTZOptics PT30X-SDI/NDI-xx before firmware 6
ghsa_unreviewed·2024-09-17·CVSS 9.1
CVE-2024-8957 [CRITICAL] CWE-78 GHSA-9cx9-7v8g-h36v: PTZOptics PT30X-SDI/NDI-xx before firmware 6
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.
GHSA
GHSA-58rw-8pf6-2mgq: PTZOptics PT30X-SDI/NDI-xx before firmware 6
ghsa_unreviewed·2024-09-17
CVE-2024-8956 [CRITICAL] CWE-287 GHSA-58rw-8pf6-2mgq: PTZOptics PT30X-SDI/NDI-xx before firmware 6
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
VulnCheck
PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
vulncheck·2024·CVSS 9.1
CVE-2024-8956 [CRITICAL] CWE-287 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.
Affected: PTZOptics PT30X-SDI/NDI Cameras
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2024-8956; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.xlab.qianxin.com/gayfemboy-en/; https://www.fortiguard.com/outbreak-alert/ptzoptics-cameras-attack; https://info.greyn
Suricata
ET EXPLOIT PTZOptics PT30X Successful Authentication Bypass (CVE-2024-8956)
suricata·2024-11-04·CVSS 9.1
CVE-2024-8956 [CRITICAL] ET EXPLOIT PTZOptics PT30X Successful Authentication Bypass (CVE-2024-8956)
ET EXPLOIT PTZOptics PT30X Successful Authentication Bypass (CVE-2024-8956)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PTZOptics PT30X Successful Authentication Bypass (CVE-2024-8956)"; flow:established,to_client; flowbits:isset,ET.2024.8956; http.response_body; bsize:33; content:"|7b 22|Response|22 3a 7b 22|Result|22 3a 22|Success|22 7d 7d|"; fast_pattern; reference:cve,2024-8956; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-8956; reference:url,labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce; classtype:successful-admin; sid:2057227; rev:2; metadata:affected_product IP_Camera, created_at 2024_11_04, cve CVE_2024_8956, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_
Suricata
ET EXPLOIT PTZOptics PT30X Authentication Bypass Attempt Inbound (CVE-2024-8956)
suricata·2024-11-04·CVSS 9.1
CVE-2024-8956 [CRITICAL] ET EXPLOIT PTZOptics PT30X Authentication Bypass Attempt Inbound (CVE-2024-8956)
ET EXPLOIT PTZOptics PT30X Authentication Bypass Attempt Inbound (CVE-2024-8956)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PTZOptics PT30X Authentication Bypass Attempt Inbound (CVE-2024-8956)"; flow:established,to_server; flowbits:set,ET.2024.8956; urilen:<43; http.uri; content:"|2f|cgi|2d|bin|2f|param|2e|cgi|3f|"; startswith; fast_pattern; pcre:"/^(?:(?:get\x5fnetwork\x5fconf)|(?:get\x5fsystem\x5fconf)|(?:get\x5fnetport\x5fconf)|(?:post\x5fnetwork\x5fother\x5fconf))$/R"; http.header_names; to_lowercase; strip_pseudo_headers; content:!"|0d 0a|authorization|0d 0a|"; reference:cve,2024-8956; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-8956; reference:url,labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce; classtype:attempted-admin; sid:2057216; rev:1; metad
No public exploits indexed.
Bleepingcomputer
New Mirai botnet targets industrial routers with zero-day exploits
blogs_bleepingcomputer·2025-01-07·CVSS 8.8
CVE-2024-12856 [HIGH] New Mirai botnet targets industrial routers with zero-day exploits
## New Mirai botnet targets industrial routers with zero-day exploits
## Bill Toulas
A relatively new Mirai-based botnet has been growing in sophistication and is now leveraging zero-day exploits for security flaws in industrial routers and smart home devices.
Exploitation of previously unknown vulnerabilities started in November 2024, according to Chainxin X Lab researchers who monitored the botnet's development and attacks.
One of the security issues is CVE-2024-12856, a vulnerability in Four-Faith industrial routers that VulnCheck discovered in late December but noticed efforts to exploit it around December 20.
to leverage zero-day exploits has been leveraging a zero-day exploit for CVE-2024-12856, impacting Four-Faith routers, alongside other custom exploits for flaws in Neterbit
Bleepingcomputer
Hackers target critical zero-day vulnerability in PTZ cameras
blogs_bleepingcomputer·2024-10-31·CVSS 9.1
CVE-2024-8956 [CRITICAL] Hackers target critical zero-day vulnerability in PTZ cameras
## Hackers target critical zero-day vulnerability in PTZ cameras
## Bill Toulas
A technical deep-dive by GreyNoise researcher Konstantin Lazarev provides more info on the two flaws.
CVE-2024-8956 is a weak authentication problem in the camera's 'lighthttpd' web server, allowing unauthorized users to access the CGI API without an authorization header, which exposes usernames, MD5 password hashes, and network configurations.
CVE-2024-8957 is caused by insufficient input sanitization in the 'ntp. addr' field processed by the 'ntp_client' binary, allowing attackers to use a specially crafted payload to insert commands for remote code execution.
Greynoise notes that exploitation of these two flaws can lead to complete camera takeover, infection with bots, pivoting to other devices connecte
Greynoiseio
GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI
blogs_greynoiseio·2024-10-31
GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Storm⚡️Watch
blogs_greynoiseio
Storm⚡️Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI
blogs_greynoiseio
GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://ptzoptics.com/firmware-changelog/https://vulncheck.com/advisories/ptzoptics-insufficient-authhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-aihttps://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/
2024-09-17
Published
2024-11-04
Added to CISA KEV
Exploited in the wild