CVE-2024-8957
PTZOptics NDI and SDI Cameras Command Injection via NTP Address Configuration
CVSS Score
7.2
EPSS Score
0.0%
EPSS Percentile
0th
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.
| CWE | CWE-78 |
| Vendor | ptzoptics |
| Product | pt30x-sdi |
| Published | Sep 17, 2024 |
| Last Updated | Dec 27, 2025 |
โ ๏ธ Actively Exploited โ Act Now
Get instant alerts for ptzoptics pt30x-sdi
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2024-8957.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
PTZOptics / PT30X-SDI
0 < 6.3.40
PTZOptics / PT30X-NDI
0 < 6.3.40
References
ptzoptics.com: https://ptzoptics.com/firmware-changelog/ vulncheck.com: https://vulncheck.com/advisories/ptzoptics-command-injection labs.greynoise.io: https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/ greynoise.io: https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8957
Credits
Konstantin Lazarev of GreyNoise