What is CVE-2024-8956?

CVE-2024-8956 (CVSS score 9.3) is an improper authentication vulnerability affecting PTZOptics PT30X-SDI/NDI cameras that allows remote attackers to bypass authentication controls and access sensitive configuration data including usernames, password hashes, and device settings without proper authorization.

What is CVE-2024-8957?

CVE-2024-8957 (CVSS score 8.6) is an OS command injection flaw that enables authenticated attackers to execute arbitrary operating system commands through insufficient validation of the ntp_addr configuration parameter.

What is CVE-2025-35451?

CVE-2025-35451 (CVSS score 9.2) is a hard-coded credentials vulnerability affecting SSH and telnet services that allows attackers to gain administrative access using default passwords that cannot be changed by users.

What is CVE-2025-35452?

CVE-2025-35452 (CVSS score 9.2) is another hard-coded credentials issue affecting the administrative web interface with shared default passwords across devices, allowing unauthorized administrative access.

Which camera systems are affected by these vulnerabilities?

Affected products include PTZOptics camera models including the PT12X, PT20X, and PT30X series across SDI, NDI, USB, and 4K variants. ValueHD, multiCAM Systems, and SMTAV pan-tilt-zoom cameras are also affected by the hard-coded credential vulnerabilities across all versions.

Have the affected vendors released patches?

PTZOptics has released firmware updates to address these vulnerabilities. However, the other vendors - ValueHD, multiCAM Systems, and SMTAV - have not responded to CISA's coordination requests.

Why are hard-coded credentials particularly dangerous?

Hard-coded credentials are particularly dangerous because they are default passwords that cannot be changed by users. This means attackers can gain administrative access to any affected device using these known credentials, and organizations cannot secure their devices by changing passwords.

What should organizations do about these camera vulnerabilities?

Organizations using affected camera systems are strongly advised to isolate the devices from networks, apply firmware updates when available (PTZOptics has released patches), and implement network segmentation to limit potential impact.

What makes these camera vulnerabilities particularly concerning?

These vulnerabilities are particularly concerning because they affect widely-used professional camera systems, have been actively exploited in the wild, include multiple critical-severity flaws with CVSS scores above 9.0, and some involve hard-coded credentials that users cannot change to secure their devices.

What is CISA's Known Exploited Vulnerabilities (KEV) catalog?

CISA's Known Exploited Vulnerabilities (KEV) catalog is a list of vulnerabilities that have been actively exploited in the wild. When vulnerabilities are added to this catalog, federal agencies have mandatory deadlines to remediate them, highlighting their critical nature and active exploitation by threat actors.

Attack

Multiple exploited critical vulnerabilities reported in PTZOptics and other Pan-Tilt-Zoom Cameras

Q: What critical vulnerabilities did CISA report in PTZOptics camera systems?

CISA reported multiple critical security vulnerabilities affecting PTZOptics and other pan-tilt-zoom camera systems from ValueHD, multiCAM Systems, and SMTAV. These flaws enable remote attackers to compromise devices without authentication and execute arbitrary commands on affected systems.

Q: Are these vulnerabilities being actively exploited?

Yes, the vulnerabilities have been actively exploited in the wild, prompting CISA to add them to its Known Exploited Vulnerabilities (KEV) catalog with mandatory remediation deadlines for federal agencies.

published: June 18, 2025

Take action: If you have PTZOptics cameras (PT12X, PT20X, PT30X series) or pan-tilt-zoom cameras from ValueHD, multiCAM Systems, or SMTAV, make sure to isolate these devices from the internet as they're being actively exploited. Apply PTZOptics firmware updates, and reach out to your vendor. If no patches are available, consider replacing cameras from other vendors or enforcing strict network isolation.

Learn More

CISA is reporting multiple critical security vulnerabilities affecting PTZOptics and other pan-tilt-zoom camera systems from ValueHD, multiCAM Systems, and SMTAV. These flaws enable remote attackers to compromise devices without authentication and execute arbitrary commands on affected systems.

The vulnerabilities have been actively exploited in the wild, prompting CISA to add them to its Known Exploited Vulnerabilities (KEV) catalog with mandatory remediation deadlines for federal agencies.

Vulnerabilities summary

CVE-2024-8956 (CVSS score 9.3) - An improper authentication vulnerability affecting PTZOptics PT30X-SDI/NDI cameras that allows remote attackers to bypass authentication controls and access sensitive configuration data including usernames, password hashes, and device settings without proper authorization.
CVE-2024-8957 (CVSS score 8.6) - An OS command injection flaw that enables authenticated attackers to execute arbitrary operating system commands through insufficient validation of the ntp_addr configuration parameter.
CVE-2025-35451 (CVSS score 9.2) - A hard-coded credentials vulnerability affecting SSH and telnet services that allows attackers to gain administrative access using default passwords that cannot be changed by users.
CVE-2025-35452 (CVSS score 9.2) - Another hard-coded credentials issue affecting the administrative web interface with shared default passwords across devices.

Affected products

PTZOptics camera models including the PT12X, PT20X, and PT30X series across SDI, NDI, USB, and 4K variants,
ValueHD, multiCAM Systems, and SMTAV pan-tilt-zoom cameras are also affected by the hard-coded credential vulnerabilities across all versions.

PTZOptics has released firmware updates to address these vulnerabilities. The other vendors, ValueHD, multiCAM Systems, and SMTAV have not responded to CISA's coordination requests.

Organizations using affected camera systems are strongly advised to isolate the devices and patch when available.

Multiple exploited critical vulnerabilities reported in PTZOptics and other Pan-Tilt-Zoom Cameras

Read More
Critical RCE Vulnerability Exploited in Legacy D-Link DSL …
SmarterTools Patches Critical Unauthenticated RCE and Active Exploits …
CISA reports active exploitation of Microsoft SharePoint RCE …
Ivanti Patches Critical Zero-Day RCE Flaws in EPMM
Active exploitation reported of Hitachi Vantara Pentaho BA …