CVE-2024-8956

Name of the Vulnerable Software and Affected Versions PTZOptics PT30X-SDI/NDI-xx versions prior to 6.3.40

Description The issue is related to insufficient authentication in PTZOptics cameras. When requests are sent without an HTTP Authorization header to the /cgi-bin/param.cgi endpoint, the camera does not properly enforce authentication. This allows a remote and unauthenticated attacker to leak sensitive data, such as usernames, password hashes, and configuration details. Additionally, the attacker can update individual configuration values or overwrite the whole file. The vulnerability is being actively exploited by hackers, targeting PTZOptics cameras used in critical sectors, including healthcare, government, and industrial settings.

Recommendations For PTZOptics PT30X-SDI/NDI-xx versions prior to 6.3.40, update the firmware to version 6.3.40 or later to resolve the issue. As a temporary workaround, consider restricting access to the /cgi-bin/param.cgi endpoint to minimize the risk of exploitation. Avoid using the camera until the firmware is updated to prevent potential data leaks and configuration manipulation.