The US CISA has added PTZOptics flaws to its Known Exploited Vulnerabilities Catalog based on the evidence of active exploitation.
CVE-2024-8956
PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability with a CVSS score of 9.1 deemed to be critical, that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.
CVE-2024-8957
PTZOptics PT30X-SDI/NDI cameras contain an OS command injection vulnerability with a CVSS score of 7.2 deemed to be High, that allows a remote, authenticated attacker to escalate privileges to root via a crafted payload with the ntp_addr parameter of the /cgi-bin/param.cgi CGI script.
The CISA has set November 25, 2024, as a deadline for federal agencies to remediate.
