Cyber Resilience

CVE-2024-8957

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 17 September 2024

Published
17 September 2024
Modified
27 October 2025
KEV Added
04 November 2024
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5552 98.1th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8957 is a high-severity OS Command Injection (CWE-78) vulnerability in Ptzoptics Pt30X-Sdi Firmware. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

PTZOptics PT30X-SDI/NDI-xx cameras running firmware prior to version 6.3.40 contain an OS command injection vulnerability tracked as CVE-2024-8957 and CWE-78. The devices fail to properly validate the ntp_addr configuration parameter, allowing arbitrary commands to be executed when the ntp_client service is started. The issue carries a CVSS 3.1 score of 7.2 and is exploitable over the network.

A remote attacker with high privileges can trigger the flaw directly to obtain arbitrary OS command execution on affected cameras. When the vulnerability is chained with CVE-2024-8956, the same outcome is achievable by an unauthenticated remote attacker without prior credentials.

Firmware release notes and vendor advisories direct users to upgrade to version 6.3.40 or later. The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, and independent research from GreyNoise indicates it was identified during proactive scanning of live-streaming camera deployments. The associated EPSS score has remained elevated near 0.55–0.57 since disclosure.

EU & UK References

Vulnerability details

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote…

more

and unauthenticated attacker can execute arbitrary OS commands on affected devices.

CWE(s)
KEV Date Added
04 November 2024

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2024-8957 enables remote unauthenticated exploitation of a public-facing web configuration interface (T1190) leading to OS command injection executed via Unix shell when the NTP client starts (T1059.004).

Affected Assets

ptzoptics
pt30x-sdi firmware
≤ 6.3.40
ptzoptics
pt30x-ndi-xx-g2 firmware
≤ 6.3.40

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the ntp_addr configuration value to block the command-injection payload before ntp_client executes it.

prevent

Mandates timely application of the vendor firmware (6.3.40+) that corrects the insufficient ntp_addr validation.

preventdetect

Requires integrity verification of firmware and configuration data, limiting both introduction and undetected execution of the malicious ntp_addr value.

References