CVE-2024-8956
PTZOptics NDI and SDI Cameras /cgi-bin/param.cgi Insufficient Authentication
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
| CWE | CWE-306 |
| Vendor | ptzoptics |
| Product | pt30x-sdi |
| Published | Sep 17, 2024 |
| Last Updated | Nov 22, 2025 |
โ ๏ธ Actively Exploited โ Act Now
Get instant alerts for ptzoptics pt30x-sdi
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2024-8956.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
PTZOptics / PT30X-SDI
0 < 6.3.40
PTZOptics / PT30X-NDI
0 < 6.3.40
References
ptzoptics.com: https://ptzoptics.com/firmware-changelog/ vulncheck.com: https://vulncheck.com/advisories/ptzoptics-insufficient-auth labs.greynoise.io: https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/ greynoise.io: https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956
Credits
Konstantin Lazarev of GreyNoise