{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-8956","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2024-09-17T19:08:47.005Z","datePublished":"2024-09-17T19:59:27.205Z","dateUpdated":"2025-11-22T12:09:58.681Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"PT30X-SDI","vendor":"PTZOptics","versions":[{"lessThan":"6.3.40","status":"affected","version":"0","versionType":"semver"}]},{"defaultStatus":"unaffected","product":"PT30X-NDI","vendor":"PTZOptics","versions":[{"lessThan":"6.3.40","status":"affected","version":"0","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:h:ptzoptics:pt30x-sdi:*:*:*:*:*:*:*:*","versionEndExcluding":"6.3.40","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"},{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:*:*:*:*:*:*:*:*","versionEndExcluding":"6.3.40","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Konstantin Lazarev of GreyNoise"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.<br>"}],"value":"PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file."}],"impacts":[{"capecId":"CAPEC-114","descriptions":[{"lang":"en","value":"CAPEC-114 Authentication Abuse"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-306","description":"CWE-306 Missing Authentication for Critical Function","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2025-11-22T12:09:58.681Z"},"references":[{"tags":["vendor-advisory"],"url":"https://ptzoptics.com/firmware-changelog/"},{"tags":["third-party-advisory"],"url":"https://vulncheck.com/advisories/ptzoptics-insufficient-auth"}],"source":{"discovery":"UNKNOWN"},"tags":["x_known-exploited-vulnerability"],"title":"PTZOptics NDI and SDI Cameras /cgi-bin/param.cgi Insufficient Authentication","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-8956","role":"CISA Coordinator","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-10-08T15:54:06.883084Z"}}},{"other":{"type":"kev","content":{"dateAdded":"2024-11-04","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956"}}}],"affected":[{"cpes":["cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*:*:*:*:*:*:*:*"],"vendor":"ptzoptics","product":"pt30x-sdi_firmware","versions":[{"status":"affected","version":"0","lessThan":"6.3.40","versionType":"custom"}],"defaultStatus":"unknown"},{"cpes":["cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*:*:*:*:*:*:*:*"],"vendor":"ptzoptics","product":"pt30x-ndi-xx-g2_firmware","versions":[{"status":"affected","version":"0","lessThan":"6.3.40","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/","tags":["technical-description","third-party-advisory","exploit"]},{"url":"https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai","tags":["third-party-advisory"]},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956","tags":["government-resource"]}],"timeline":[{"time":"2024-11-04T00:00:00.000Z","lang":"en","value":"CVE-2024-8956 added to CISA KEV"}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-21T22:55:44.402Z"}}]}}