PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 08 Sep 2025 19:15:00 +0000


Mon, 04 Nov 2024 18:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2024-11-04'}


Mon, 04 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 01 Oct 2024 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Ptzoptics pt30x-ndi-xx-g2
Ptzoptics pt30x-ndi-xx-g2 Firmware
Ptzoptics pt30x-sdi
CPEs cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:-:*:*:*:*:*:*:*
cpe:2.3:h:ptzoptics:pt30x-sdi:-:*:*:*:*:*:*:*
cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*:*:*:*:*:*:*:*
Vendors & Products Ptzoptics pt30x-ndi-xx-g2
Ptzoptics pt30x-ndi-xx-g2 Firmware
Ptzoptics pt30x-sdi

Wed, 18 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Ptzoptics
Ptzoptics pt30x-ndi Firmware
Ptzoptics pt30x-sdi Firmware
CPEs cpe:2.3:o:ptzoptics:pt30x-ndi_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*:*:*:*:*:*:*:*
Vendors & Products Ptzoptics
Ptzoptics pt30x-ndi Firmware
Ptzoptics pt30x-sdi Firmware
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 17 Sep 2024 20:30:00 +0000

Type Values Removed Values Added
Description PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.
Title PTZOptics NDI and SDI Cameras Command Injection via NTP Address Configuration
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-09-08T18:29:42.970Z

Reserved: 2024-09-17T19:08:48.129Z

Link: CVE-2024-8957

cve-icon Vulnrichment

Updated: 2024-09-18T13:52:31.904Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-17T21:15:13.423

Modified: 2025-09-09T14:11:15.087

Link: CVE-2024-8957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.