CVE-2024-8956
Published: 17 September 2024
Summary
CVE-2024-8956 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Ptzoptics Pt30X-Sdi Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Network Configuration Discovery (T1016); ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
PTZOptics PT30X-SDI/NDI-xx cameras running firmware prior to 6.3.40 contain an insufficient authentication vulnerability in the /cgi-bin/param.cgi endpoint. The camera fails to enforce authentication when HTTP requests arrive without an Authorization header, exposing the endpoint to direct access. This flaw is tracked under CWE-306 and CWE-287 and carries a CVSS 3.1 score of 9.1.
A remote attacker with no credentials can retrieve usernames, password hashes, and full configuration details. The same access also permits modification of individual parameters or complete overwrite of the configuration file, giving an unauthenticated party control over device settings without any user interaction.
Vendor firmware release notes list version 6.3.40 as the corrective update. CISA has added CVE-2024-8956 to its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation and prompting organizations to apply the patch without delay. GreyNoise reporting notes that related camera flaws were identified through AI-assisted analysis, and the EPSS score near 0.85 reflects sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49505
Vulnerability details
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak…
more
sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
- CWE(s)
- KEV Date Added
- 04 November 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insufficient authentication on /cgi-bin/param.cgi enables unauthenticated exploitation of public-facing web app (T1190), leaking usernames (T1033), system/config details (T1082), network configs (T1016), and password hashes (T1552).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the camera to enforce authentication and authorization checks before granting access to /cgi-bin/param.cgi, blocking the unauthenticated reads and writes.
Mandates identification and authentication of non-organizational users before any access to device services, eliminating the missing-authentication flaw exploited by remote attackers.
Requires timely application of the vendor firmware update (6.3.40) that implements proper authentication on the affected endpoint.