CVE-2024-8956 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability

Exploit added

November 4, 2024

Action due

November 25, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-287	Improper Authentication

Details

Source:
NVD

Published:
September 17, 2024

Updated:
November 5, 2024

Risk information

CVSS v3

Base score:
9.1

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2

Not defined