Cyber Resilience

CVE-2024-8956

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 17 September 2024

Published
17 September 2024
Modified
27 October 2025
KEV Added
04 November 2024
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.8361 99.3th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8956 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Ptzoptics Pt30X-Sdi Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Network Configuration Discovery (T1016); ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

PTZOptics PT30X-SDI/NDI-xx cameras running firmware prior to 6.3.40 contain an insufficient authentication vulnerability in the /cgi-bin/param.cgi endpoint. The camera fails to enforce authentication when HTTP requests arrive without an Authorization header, exposing the endpoint to direct access. This flaw is tracked under CWE-306 and CWE-287 and carries a CVSS 3.1 score of 9.1.

A remote attacker with no credentials can retrieve usernames, password hashes, and full configuration details. The same access also permits modification of individual parameters or complete overwrite of the configuration file, giving an unauthenticated party control over device settings without any user interaction.

Vendor firmware release notes list version 6.3.40 as the corrective update. CISA has added CVE-2024-8956 to its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation and prompting organizations to apply the patch without delay. GreyNoise reporting notes that related camera flaws were identified through AI-assisted analysis, and the EPSS score near 0.85 reflects sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak…

more

sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.

CWE(s)
KEV Date Added
04 November 2024

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1016 System Network Configuration Discovery Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
T1033 System Owner/User Discovery Discovery
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Insufficient authentication on /cgi-bin/param.cgi enables unauthenticated exploitation of public-facing web app (T1190), leaking usernames (T1033), system/config details (T1082), network configs (T1016), and password hashes (T1552).

Affected Assets

ptzoptics
pt30x-sdi firmware
≤ 6.3.40
ptzoptics
pt30x-ndi-xx-g2 firmware
≤ 6.3.40

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the camera to enforce authentication and authorization checks before granting access to /cgi-bin/param.cgi, blocking the unauthenticated reads and writes.

prevent

Mandates identification and authentication of non-organizational users before any access to device services, eliminating the missing-authentication flaw exploited by remote attackers.

prevent

Requires timely application of the vendor firmware update (6.3.40) that implements proper authentication on the affected endpoint.

References