Cyber Resilience

CVE-2025-35451

CriticalPublic PoC

Published: 05 September 2025

Published
05 September 2025
Modified
14 January 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 47.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-35451 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Ptzoptics Pt12X-Sdi-Xx-G2 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 47.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-35451 is a critical vulnerability (CVSS 9.8) involving the use of hard-coded, default administrative credentials (CWE-798) in PTZOptics cameras and possibly other ValueHD-based pan-tilt-zoom cameras. These credentials have passwords that can be readily cracked, and many affected devices expose SSH or Telnet services listening on all interfaces. Users cannot change the passwords or disable these services, leaving the devices persistently vulnerable to unauthorized access.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation grants administrative access via SSH or Telnet, enabling high-impact confidentiality, integrity, and availability violations, such as full remote code execution or device takeover.

CISA's ICS Advisory ICSA-25-162-10 provides detailed mitigation guidance for this vulnerability. Additional information is available in the official CVE record and related GreyNoise reports.

GreyNoise Intelligence discovered this and related zero-day vulnerabilities in live-streaming cameras using AI assistance, highlighting real-world risks in operational technology environments.

EU & UK References

Vulnerability details

PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use hard-coded, default administrative credentials. The passwords can readily be cracked. Many cameras have SSH or telnet listening on all interfaces. The passwords cannot be changed by the user, nor can the SSH…

more

or telnet service be disabled by the user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
T1021.004 SSH Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
Why these techniques?

Hard-coded default credentials on exposed SSH/Telnet directly enable Valid Accounts (Default Accounts) and External Remote Services for initial access and remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-35452Same product: Multicam-Systems Mcamii Ptz
CVE-2020-37092Shared CWE-798
CVE-2026-23647Shared CWE-798
CVE-2026-28777Shared CWE-798
CVE-2024-46429Shared CWE-798
CVE-2024-46436Shared CWE-798
CVE-2025-1143Shared CWE-798
CVE-2026-27507Shared CWE-798
CVE-2024-48126Shared CWE-798
CVE-2026-28776Shared CWE-798

Affected Assets

ptzoptics
pt12x-sdi-xx-g2 firmware
≤ 6.3.34
ptzoptics
pt12x-ndi-xx firmware
≤ 6.3.34
ptzoptics
pt12x-usb-xx-g2 firmware
≤ 6.2.81
ptzoptics
pt20x-sdi-xx-g2 firmware
≤ 6.3.20
ptzoptics
pt20x-ndi-xx firmware
≤ 6.3.20
ptzoptics
pt20x-usb-xx-g2 firmware
≤ 6.2.73
ptzoptics
pt30x-sdi-xx-g2 firmware
≤ 6.3.30
ptzoptics
pt30x-ndi-xx firmware
≤ 6.3.30
ptzoptics
pt12x-zcam firmware
≤ 7.2.76
ptzoptics
pt20x-zcam firmware
≤ 7.2.82
+41 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 directly mandates changing default authenticators and managing passwords, comprehensively addressing the hard-coded, crackable credentials that enable unauthorized access.

prevent

AC-2 requires managing accounts by disabling unnecessary or default administrative accounts, preventing exploitation of persistent hard-coded credentials.

prevent

SC-7 enforces boundary protection to monitor and control network communications, blocking remote access to exposed SSH and Telnet services on all interfaces.

References