Vulnerability Details CVE-2024-8956
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.869
EPSS Ranking 99.4%
CVSS Severity
CVSS v3 Score 9.1
Proposed Action
PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.
Ransomware Campaign
Unknown
References
Products affected by CVE-2024-8956
-
cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:-
-
cpe:2.3:h:ptzoptics:pt30x-sdi:-
-
cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*
-
cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*