Vulnerability Details CVE-2024-8957
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.46
EPSS Ranking 97.5%
CVSS Severity
CVSS v3 Score 7.2
Proposed Action
PTZOptics PT30X-SDI/NDI cameras contain an OS command injection vulnerability that allows a remote, authenticated attacker to escalate privileges to root via a crafted payload with the ntp_addr parameter of the /cgi-bin/param.cgi CGI script.
Ransomware Campaign
Unknown
References
Products affected by CVE-2024-8957
-
cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:-
-
cpe:2.3:h:ptzoptics:pt30x-sdi:-
-
cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*
-
cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*