PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.
A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data. Federal agencies are required to remediate by 2024-11-25 under CISA BOD 22-01.
This is a Missing Authentication for Critical Function (CWE-306) vulnerability in PTZOptics PT30X-SDI/NDI Cameras. PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
Active exploitation documented in the wild. Threat-research write-up: https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/
Manual remediation steps
Apply the Vendor Patch
This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.
CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
References
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References