CVE-2025-35451
Pan-Tilt-Zoom cameras hard-coded default passwords with SSH and telnet enabled
PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use hard-coded, default administrative credentials. The passwords can readily be cracked. Many cameras have SSH or telnet listening on all interfaces. The passwords cannot be changed by the user, nor can the SSH or telnet service be disabled by the user.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
multiCAM Systems · Pan-Tilt-Zoom CamerasPTZOptics · 12x Fixed Camera/NDI Fixed CameraPTZOptics · 20x Fixed Camera/NDI Fixed CameraPTZOptics · EPTZ Fixed Camera/NDI Fixed CameraPTZOptics · HC-EPTZ-NDIPTZOptics · PT12X-4K-xx-G3PTZOptics · PT12X-LINK-4K-xxPTZOptics · PT12X-SDI/NDI-xxPTZOptics · PT12X-SE-xx-G3PTZOptics · PT12X-STUDIO-4K-xx-G3PTZOptics · PT12X-USB-xxPTZOptics · PT20X-4K-xx-G3PTZOptics · PT20X-LINK-4K-xxPTZOptics · PT20X-SDI/NDI-xxPTZOptics · PT20X-SE-xx-G3PTZOptics · PT20X-STUDIO-4K-xx-G3PTZOptics · PT20X-USB-xxPTZOptics · PT30X-4K-xx-G3PTZOptics · PT30X-LINK-4K-xxPTZOptics · PT30X-SDI/NDI-xxPTZOptics · PT30X-SE-xx-G3PTZOptics · PT-STUDIOPROPTZOptics · VL Fixed Camera/NDI Fixed CameraSMTAV · Pan-Tilt-Zoom CamerasValueHD · Pan-Tilt-Zoom CamerasWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-162-10.jsonhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-162-10https://www.cve.org/CVERecord?id=CVE-2025-35451https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-aihttps://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/