CVE-2024-8957
published 2024-09-17CVE-2024-8957: PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr…
PriorityP190high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2024-11-25
Exploited in the wild
EPSS
81.97%
99.6th percentile
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ptzoptics | pt30x-ndi-xx-g2_firmware | < 6.3.40 | 6.3.40 |
| ptzoptics | pt30x-sdi_firmware | < 6.3.40 | 6.3.40 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /cgi-bin/param.cgi that are sent without an HTTP Authorization header, as CVE-2024-8956 allows unauthenticated access to this endpoint which is then chained with CVE-2024-8957 for RCE. ↗
- →Inspect the ntp_addr parameter in requests to /cgi-bin/param.cgi for OS command injection payloads (e.g., shell metacharacters, backticks, semicolons, pipe characters). ↗
- →Watch for wget-based shell script downloads originating from PTZ camera devices, indicative of post-exploitation reverse shell staging. ↗
- →Leaked MD5 password hashes from /cgi-bin/param.cgi responses should be treated as compromised; monitor for subsequent authentication attempts using cracked credentials. ↗
- ·CVE-2024-8957 requires chaining with CVE-2024-8956 for unauthenticated exploitation; standalone it requires high-privilege (PR:H) access per CVSS scoring. ↗
- ·Models PT20X-NDI-G2 and PT12X-NDI-G2 reached end-of-life and did not receive a patch; PT20X-SE-NDI-G3 and PT30X-SE-NDI-G3 were also found vulnerable after the initial patch release. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
PTZOptics and Other Pan-Tilt-Zoom Cameras
cisa_ics·2025-06-12·CVSS 9.8
[CRITICAL] PTZOptics and Other Pan-Tilt-Zoom Cameras
ICS Advisory
##
PTZOptics and Other Pan-Tilt-Zoom Cameras
Release DateJune 12, 2025
Alert CodeICSA-25-162-10
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ValueHD, PTZOptics, multiCAM Systems, SMTAV
- Equipment: Various pan-tilt-zoom cameras
- Vulnerabilities: Improper Authentication, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Use of Hard-coded Credentials
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to leak sensitive data, execute arbitrary commands, and access the admin web interface using hard-coded cr
CISA
PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
cisa·2024-11-04·CVSS 7.2
CVE-2024-8957 [HIGH] CWE-78 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
Vulnerability: PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
Affected: PTZOptics PT30X-SDI/NDI Cameras
PTZOptics PT30X-SDI/NDI cameras contain an OS command injection vulnerability that allows a remote, authenticated attacker to escalate privileges to root via a crafted payload with the ntp_addr parameter of the /cgi-bin/param.cgi CGI script.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://ptzoptics.com/firmware-changelog/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-8957
Remediation Due Date: 2024-11-25
CISA
PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
cisa·2024-11-04·CVSS 9.1
CVE-2024-8956 [CRITICAL] CWE-287 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
Vulnerability: PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
Affected: PTZOptics PT30X-SDI/NDI Cameras
PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://ptzoptics.com/firmware-changelog/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-8956
Remediation Due Date: 2024-11-25
GHSA
GHSA-9cx9-7v8g-h36v: PTZOptics PT30X-SDI/NDI-xx before firmware 6
ghsa_unreviewed·2024-09-17·CVSS 9.1
CVE-2024-8957 [CRITICAL] CWE-78 GHSA-9cx9-7v8g-h36v: PTZOptics PT30X-SDI/NDI-xx before firmware 6
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.
VulnCheck
PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
vulncheck·2024·CVSS 7.2
CVE-2024-8957 [HIGH] CWE-78 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
PTZOptics PT30X-SDI/NDI cameras contain an OS command injection vulnerability that allows a remote, authenticated attacker to escalate privileges to root via a crafted payload with the ntp_addr parameter of the /cgi-bin/param.cgi CGI script.
Affected: PTZOptics PT30X-SDI/NDI Cameras
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2024-8957; https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.xlab.qianxin.com/gayfemboy-en/; https://www.
VulnCheck
PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
vulncheck·2024·CVSS 9.1
CVE-2024-8956 [CRITICAL] CWE-287 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.
Affected: PTZOptics PT30X-SDI/NDI Cameras
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2024-8956; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.xlab.qianxin.com/gayfemboy-en/; https://www.fortiguard.com/outbreak-alert/ptzoptics-cameras-attack; https://info.greyn
No detection rules found.
No public exploits indexed.
Bleepingcomputer
New Mirai botnet targets industrial routers with zero-day exploits
blogs_bleepingcomputer·2025-01-07·CVSS 8.8
CVE-2024-12856 [HIGH] New Mirai botnet targets industrial routers with zero-day exploits
## New Mirai botnet targets industrial routers with zero-day exploits
## Bill Toulas
A relatively new Mirai-based botnet has been growing in sophistication and is now leveraging zero-day exploits for security flaws in industrial routers and smart home devices.
Exploitation of previously unknown vulnerabilities started in November 2024, according to Chainxin X Lab researchers who monitored the botnet's development and attacks.
One of the security issues is CVE-2024-12856, a vulnerability in Four-Faith industrial routers that VulnCheck discovered in late December but noticed efforts to exploit it around December 20.
to leverage zero-day exploits has been leveraging a zero-day exploit for CVE-2024-12856, impacting Four-Faith routers, alongside other custom exploits for flaws in Neterbit
Bleepingcomputer
Hackers target critical zero-day vulnerability in PTZ cameras
blogs_bleepingcomputer·2024-10-31·CVSS 9.1
CVE-2024-8956 [CRITICAL] Hackers target critical zero-day vulnerability in PTZ cameras
## Hackers target critical zero-day vulnerability in PTZ cameras
## Bill Toulas
A technical deep-dive by GreyNoise researcher Konstantin Lazarev provides more info on the two flaws.
CVE-2024-8956 is a weak authentication problem in the camera's 'lighthttpd' web server, allowing unauthorized users to access the CGI API without an authorization header, which exposes usernames, MD5 password hashes, and network configurations.
CVE-2024-8957 is caused by insufficient input sanitization in the 'ntp. addr' field processed by the 'ntp_client' binary, allowing attackers to use a specially crafted payload to insert commands for remote code execution.
Greynoise notes that exploitation of these two flaws can lead to complete camera takeover, infection with bots, pivoting to other devices connecte
Greynoiseio
GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI
blogs_greynoiseio·2024-10-31
GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Storm⚡️Watch
blogs_greynoiseio
Storm⚡️Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI
blogs_greynoiseio
GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://ptzoptics.com/firmware-changelog/https://vulncheck.com/advisories/ptzoptics-command-injectionhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8957https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-aihttps://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/
2024-09-17
Published
2024-11-04
Added to CISA KEV
Exploited in the wild