CVE-2024-8956: PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
First published: Tue Sep 17 2024(Updated: )
PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.
Credit: disclosure@vulncheck.com disclosure@vulncheck.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PTZOptics PT30X-SDI/NDI | ||
| All of | ||
| PTZOptics PT30X-SDI Firmware | <6.3.40 | |
| PTZOptics PT30X-SDI Firmware | ||
| All of | ||
| PTZOptics PT30X-NDI XX G2 | <6.3.40 | |
| PTZOptics PT30X-NDI-XX-G2 Firmware |
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/hackers-target-critical-zero-day-vulnerability-in-ptz-cameras/
- https://ptzoptics.com/firmware-changelog/
- https://vulncheck.com/advisories/ptzoptics-insufficient-auth
- https://nvd.nist.gov/vuln/detail/CVE-2024-8956
- https://www.theregister.com/2025/03/03/infosec_in_brief/
Frequently Asked Questions
What is the severity of CVE-2024-8956?
CVE-2024-8956 is categorized as a critical vulnerability due to the potential for remote code execution.
How does CVE-2024-8956 exploit insecure direct object reference?
CVE-2024-8956 allows attackers to bypass authentication through insecure direct object reference in the /cgi-bin/param.cgi CGI script.
Which PTZOptics products are affected by CVE-2024-8956?
CVE-2024-8956 affects the PTZOptics PT30X-SDI and PT30X-NDI cameras running firmware versions up to 6.3.40.
How can I mitigate CVE-2024-8956?
Mitigation for CVE-2024-8956 involves updating the affected PTZOptics cameras to a patched firmware version.
What is the relationship between CVE-2024-8956 and CVE-2024-8957?
CVE-2024-8956 can be combined with CVE-2024-8957 to potentially allow remote code execution as root.
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/severity
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-8956
- alias/CVE-2024-8957
- agent/remedy
- agent/author
- agent/description
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/trending
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/source
- agent/references
- agent/event
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- agent/softwarecombine
- agent/tags
- collector/the-register
- source/The Register
- alias/CVE-2024-53104
- alias/CVE-2024-53197
- alias/CVE-2024-50302
- vendor/ptzoptics
- canonical/ptzoptics pt30x-sdi/ndi
- canonical/ptzoptics pt30x-sdi firmware
- canonical/ptzoptics pt30x-ndi xx g2
- canonical/ptzoptics pt30x-ndi-xx-g2 firmware