CVE-2024-8957 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability

Exploit added

November 4, 2024

Action due

November 25, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-78	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Details

Source:
NVD

Published:
September 17, 2024

Updated:
November 5, 2024

Risk information

CVSS v3

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined