cbcvebase.
CVE-2024-8956
published 2024-09-17

CVE-2024-8956: PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to…

PriorityP192critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-11-25
Exploited in the wild
EPSS
60.88%
99.0th percentile
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.

Affected

4 ranges
VendorProductVersion rangeFixed in
ptzopticspt30x-ndi< 6.3.406.3.40
ptzopticspt30x-ndi-xx-g2_firmware< 6.3.406.3.40
ptzopticspt30x-sdi< 6.3.406.3.40
ptzopticspt30x-sdi_firmware< 6.3.406.3.40

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/param.cgi
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PTZOptics PT30X Successful Authentication Bypass (CVE-2024-8956)"; flow:established,to_client; flowbits:isset,ET.2024.8956; http.response_body; bsize:33; content:"|7b 22|Response|22 3a 7b 22|Result|22 3a 22|Success|22 7d 7d|"; fast_pattern; reference:cve,2024-8956; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-8956; reference:url,labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce; classtype:successful-admin; sid:2057227; rev:2; metadata:affected_product IP_Camera, created_at 2024_11_04, cve CVE_2024_8956, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|7b 22|Response|22 3a 7b 22|Result|22 3a 22|Success|22 7d 7d|
  • Detect unauthenticated HTTP requests to /cgi-bin/param.cgi that lack an HTTP Authorization header — this is the core exploitation vector for CVE-2024-8956.
  • Successful exploitation returns a 33-byte JSON response body matching {"Response":{"Result":"Success"}} (hex: 7b 22 52 65 73 70 6f 6e 73 65 22 3a 7b 22 52 65 73 75 6c 74 22 3a 22 53 75 63 63 65 73 73 22 7d 7d). Use the Snort/ET rule sid:2057227 with flowbit ET.2024.8956 to detect successful auth bypass responses.
  • CVE-2024-8956 is chained with CVE-2024-8957 (OS command injection via the ntp_addr field). Monitor for writes to the ntp_addr configuration parameter via /cgi-bin/param.cgi, especially values containing shell metacharacters.
  • The vulnerability is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application), Initial Access tactic (TA0001). Correlate perimeter HTTP logs for requests to /cgi-bin/param.cgi without Authorization headers from external IPs.
  • Leaked data from exploitation includes MD5 password hashes. Monitor for exfiltration of credential data (usernames, MD5 hashes) from camera management interfaces.
  • ·Affected firmware versions are VHD PTZ camera firmware < 6.3.40. Models PT20X-NDI-G2 and PT12X-NDI-G2 reached end-of-life and did not receive patches. PT20X-SE-NDI-G3 and PT30X-SE-NDI-G3 were also found vulnerable but had not received patches as of the reporting date.
  • ·The Snort/ET rule (sid:2057227) detects the successful server response (to_client, bsize:33) rather than the inbound exploit request, and requires SSL decryption for HTTPS-protected camera interfaces.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.