PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 25 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306

Mon, 08 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 04 Nov 2024 18:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2024-11-04'}


Mon, 04 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 29 Oct 2024 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ptzoptics:pt30x-sdi.ndi-xx:*:*:*:*:*:*:*:*
Vendors & Products Ptzoptics pt30x-sdi.ndi-xx

Tue, 01 Oct 2024 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Ptzoptics pt30x-ndi-xx-g2
Ptzoptics pt30x-ndi-xx-g2 Firmware
Ptzoptics pt30x-sdi
Ptzoptics pt30x-sdi Firmware
CPEs cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:-:*:*:*:*:*:*:*
cpe:2.3:h:ptzoptics:pt30x-sdi:-:*:*:*:*:*:*:*
cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*:*:*:*:*:*:*:*
Vendors & Products Ptzoptics pt30x-ndi-xx-g2
Ptzoptics pt30x-ndi-xx-g2 Firmware
Ptzoptics pt30x-sdi
Ptzoptics pt30x-sdi Firmware

Tue, 17 Sep 2024 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Ptzoptics
Ptzoptics pt30x-sdi.ndi-xx
CPEs cpe:2.3:a:ptzoptics:pt30x-sdi.ndi-xx:*:*:*:*:*:*:*:*
Vendors & Products Ptzoptics
Ptzoptics pt30x-sdi.ndi-xx
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 17 Sep 2024 20:15:00 +0000

Type Values Removed Values Added
Description PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
Title PTZOptics NDI and SDI Cameras /cgi-bin/param.cgi Insufficient Authentication
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-09-25T18:26:21.069Z

Reserved: 2024-09-17T19:08:47.005Z

Link: CVE-2024-8956

cve-icon Vulnrichment

Updated: 2024-09-17T20:53:53.285Z

cve-icon NVD

Status : Modified

Published: 2024-09-17T20:15:07.287

Modified: 2025-09-25T19:15:42.553

Link: CVE-2024-8956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.