CVE-2025-35452

CriticalPublic PoC

Published: 05 September 2025

Published

05 September 2025

Modified

23 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-35452 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Ptzoptics Pteptz-Ndi-Zcam-G2. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique SSH (T1021.004); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to SSH (T1021.004) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-2 Account Management good match

prevent

AC-2 requires changing default content of system accounts and automatically assigned passwords, directly mitigating the use of default shared administrative credentials in PTZOptics cameras.

IA-5 Authenticator Management good match

prevent

IA-5 mandates management of authenticators like passwords with requirements for uniqueness, strength, and non-reuse of defaults, preventing exploitation of hard-coded or shared credentials.

CM-6 Configuration Settings good match

prevent

CM-6 enforces secure configuration settings including modification of default credentials to the most restrictive mode consistent with operational needs for affected camera devices.

MITRE ATT&CK Enterprise TechniquesAI

T1021.004 SSH Lateral Movement

Adversaries may use [Valid Accounts](https://attack.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Default and hard-coded credentials for web admin, SSH, and Telnet enable T1078.001 (Default Accounts) and T1021.004 (SSH). Improper authentication and OS command injection in the web interface (/cgi-bin/param.cgi, ntp_addr) facilitate T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell).

NVD Description

PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface.

Deeper analysisAI

CVE-2025-35452 is a critical vulnerability in PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras, stemming from the use of default, shared credentials for the administrative web interface. This issue maps to CWE-798 (use of hard-coded credentials) and CWE-1392 (use of default credentials), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating network-accessible exploitation without authentication or user interaction.

Remote, unauthenticated attackers can exploit this vulnerability by connecting to the camera's web interface over the network and using the publicly known default credentials to gain administrative access. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, enabling full control over the affected camera devices.

CISA's ICSA-25-162-10 advisory details mitigations for this and related vulnerabilities in operational technology devices. Additional guidance appears in the official CVE record and GreyNoise publications.

GreyNoise intelligence reports the discovery of zero-day vulnerabilities, including this one, in live-streaming cameras using AI assistance, with further details on related RCE in their SIFT analysis.

Details

CWE(s): CWE-798 CWE-1392

Affected Products

ptzoptics

pt12x-sdi-xx-g2 firmware

all versions

ptzoptics

pt12x-ndi-xx firmware

all versions

ptzoptics

pt12x-usb-xx-g2 firmware

all versions

ptzoptics

pt20x-sdi-xx-g2 firmware

all versions

ptzoptics

t20x-ndi-xx firmware

all versions

ptzoptics

pt20x-usb-xx-g2 firmware

all versions

ptzoptics

pt30x-sdi-xx-g2 firmware

all versions

ptzoptics

pt30x-ndi-xx firmware

all versions

ptzoptics

pt12x-zcam firmware

all versions

ptzoptics

pt20x-zcam firmware

all versions

+51 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-35451Same product: Multicam-Systems Mcamii Ptz

CVE-2025-51536Shared CWE-1392, CWE-798

CVE-2025-34516Shared CWE-1392

CVE-2026-25202Shared CWE-798

CVE-2025-0482Shared CWE-1392

CVE-2026-22273Shared CWE-1392

CVE-2023-27573Shared CWE-1392, CWE-798

CVE-2026-1972Shared CWE-1392

CVE-2024-8893Shared CWE-798

CVE-2026-3873Shared CWE-798

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-162-10.json
Patch · 9119a7d8-5eab-497f-8521-727c672e3725
https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-10
Third Party Advisory, US Government Resource · 9119a7d8-5eab-497f-8521-727c672e3725
https://www.cve.org/CVERecord?id=CVE-2025-35452
Third Party Advisory · 9119a7d8-5eab-497f-8521-727c672e3725
https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai
Third Party Advisory · 9119a7d8-5eab-497f-8521-727c672e3725
https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/
Exploit, Third Party Advisory · 9119a7d8-5eab-497f-8521-727c672e3725