CVE-2024-8957

Name of the Vulnerable Software and Affected Versions PTZOptics PT30X-SDI/NDI Cameras versions prior to firmware 6.3.40

Description The issue is related to an OS command injection problem. The camera does not sufficiently validate the ntp addr configuration value, which may lead to arbitrary command execution when ntp client is started. This can be exploited by a remote and unauthenticated attacker to execute arbitrary OS commands on affected devices. The vulnerability can be exploited by sending a specially crafted request with the ntp addr parameter to the /cgi-bin/param.cgi CGI script.

Recommendations For PTZOptics PT30X-SDI/NDI Cameras versions prior to firmware 6.3.40, update to firmware 6.3.40 or later to resolve the issue. As a temporary workaround, consider restricting access to the /cgi-bin/param.cgi CGI script and avoiding the use of the ntp addr parameter until the issue is resolved.