CVE-2024-8956
PTZOptics NDI and SDI Cameras /cgi-bin/param.cgi Insufficient Authentication
In short
PTZOptics cameras allow anyone to access and modify camera settings without logging in by sending requests to a specific web address. An attacker can steal passwords, usernames, and camera configurations, or change settings remotely without permission.
Technical detail
The /cgi-bin/param.cgi endpoint in PTZOptics PT30X-SDI/NDI cameras fails to validate HTTP Authorization headers, allowing unauthenticated remote access. Attackers can retrieve sensitive data including credential hashes and configuration parameters, or perform unauthorized modifications to camera settings via parameter manipulation.
Summary generated and translated by AI from the official description.
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
public PoCs found — 1
cve_referencewww.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://ptzoptics.com/firmware-changelog/https://vulncheck.com/advisories/ptzoptics-insufficient-authhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-aihttps://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/