Vulnerability Description
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ptzoptics | Pt30X-Sdi Firmware | < 6.3.40 |
| Ptzoptics | Pt30X-Sdi | - |
| Ptzoptics | Pt30X-Ndi-Xx-G2 Firmware | < 6.3.40 |
| Ptzoptics | Pt30X-Ndi-Xx-G2 | - |
Related Weaknesses (CWE)
References
- https://ptzoptics.com/firmware-changelog/Release Notes
- https://vulncheck.com/advisories/ptzoptics-insufficient-authThird Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-US Government Resource
- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabThird Party Advisory
- https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/ExploitThird Party Advisory
FAQ
What is CVE-2024-8956?
CVE-2024-8956 is a vulnerability with a CVSS score of 9.1 (CRITICAL). PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sen...
How severe is CVE-2024-8956?
CVE-2024-8956 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-8956?
Check the references section above for vendor advisories and patch information. Affected products include: Ptzoptics Pt30X-Sdi Firmware, Ptzoptics Pt30X-Sdi, Ptzoptics Pt30X-Ndi-Xx-G2 Firmware, Ptzoptics Pt30X-Ndi-Xx-G2.