Vulnerability Description
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ptzoptics | Pt30X-Sdi Firmware | < 6.3.40 |
| Ptzoptics | Pt30X-Sdi | - |
| Ptzoptics | Pt30X-Ndi-Xx-G2 Firmware | < 6.3.40 |
| Ptzoptics | Pt30X-Ndi-Xx-G2 | - |
Related Weaknesses (CWE)
References
- https://ptzoptics.com/firmware-changelog/Release Notes
- https://vulncheck.com/advisories/ptzoptics-command-injectionThird Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-US Government Resource
- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabThird Party Advisory
- https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/ExploitThird Party Advisory
FAQ
What is CVE-2024-8957?
CVE-2024-8957 is a vulnerability with a CVSS score of 7.2 (HIGH). PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary...
How severe is CVE-2024-8957?
CVE-2024-8957 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-8957?
Check the references section above for vendor advisories and patch information. Affected products include: Ptzoptics Pt30X-Sdi Firmware, Ptzoptics Pt30X-Sdi, Ptzoptics Pt30X-Ndi-Xx-G2 Firmware, Ptzoptics Pt30X-Ndi-Xx-G2.