CISA Known Exploited Vulnerability (KEV)
PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
November 4, 2024
November 25, 2024
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
References
Weakness Enumeration
CWE-ID | CWE Name |
---|---|
CWE-287 |
Improper Authentication |