CVE-2024-8957
Published: 17 September 2024
Summary
CVE-2024-8957 is a high-severity OS Command Injection (CWE-78) vulnerability in Ptzoptics Pt30X-Sdi Firmware. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
PTZOptics PT30X-SDI/NDI-xx cameras running firmware prior to version 6.3.40 contain an OS command injection vulnerability tracked as CVE-2024-8957 and CWE-78. The devices fail to properly validate the ntp_addr configuration parameter, allowing arbitrary commands to be executed when the ntp_client service is started. The issue carries a CVSS 3.1 score of 7.2 and is exploitable over the network.
A remote attacker with high privileges can trigger the flaw directly to obtain arbitrary OS command execution on affected cameras. When the vulnerability is chained with CVE-2024-8956, the same outcome is achievable by an unauthenticated remote attacker without prior credentials.
Firmware release notes and vendor advisories direct users to upgrade to version 6.3.40 or later. The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, and independent research from GreyNoise indicates it was identified during proactive scanning of live-streaming camera deployments. The associated EPSS score has remained elevated near 0.55–0.57 since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49506
Vulnerability details
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote…
more
and unauthenticated attacker can execute arbitrary OS commands on affected devices.
- CWE(s)
- KEV Date Added
- 04 November 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-8957 enables remote unauthenticated exploitation of a public-facing web configuration interface (T1190) leading to OS command injection executed via Unix shell when the NTP client starts (T1059.004).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the ntp_addr configuration value to block the command-injection payload before ntp_client executes it.
Mandates timely application of the vendor firmware (6.3.40+) that corrects the insufficient ntp_addr validation.
Requires integrity verification of firmware and configuration data, limiting both introduction and undetected execution of the malicious ntp_addr value.