CVE-2024-8956

What is PTZOptics PT30X?

PTZOptics PT30X-SDI and PT30X-NDI are professional pan-tilt-zoom (PTZ) cameras widely used in broadcast production, live streaming, houses of worship, conference rooms, lecture halls, and stadiums. These cameras are typically network-connected and accessible via a web management interface that allows operators to control camera angle, zoom, and settings remotely. Like many IoT and operational technology devices, PTZ cameras are often deployed on network segments with broad reachability and minimal security hardening, and they may operate for years without firmware updates — making them an attractive target for botnet operators and attackers seeking network footholds.

Overview

CVE-2024-8956 is an authentication bypass (insecure direct object reference) in the PTZOptics PT30X-SDI/NDI camera CGI interface that allows a remote unauthenticated attacker to access the /cgi-bin/param.cgi script without credentials. When chained with CVE-2024-8957 (an OS command injection in the same CGI interface that normally requires authentication), the combination enables unauthenticated remote code execution as root on the affected camera. The vulnerabilities were discovered by Nozomi Networks and confirmed exploited in the wild, leading to CISA KEV addition on November 4, 2024. Some affected camera models are end-of-life and will not receive firmware updates.

Affected Versions

Check the PTZOptics firmware changelog to determine whether your specific model received the 6.3.40 firmware update. End-of-life models will not receive patches.

Technical Details

CWE-306 (Missing Authentication for Critical Function). The /cgi-bin/param.cgi CGI script on the camera's web server accepts requests without verifying authentication credentials. This is classified as an insecure direct object reference (IDOR) because the camera's web server serves the script directly without enforcing the authentication gate that the web UI applies.

Two-CVE attack chain:

1. CVE-2024-8956 — unauthenticated access to /cgi-bin/param.cgi, bypassing the authentication requirement.
2. CVE-2024-8957 (OS command injection) — parameters accepted by param.cgi are passed to OS-level commands without sanitization, enabling arbitrary command execution as root.

The result is full unauthenticated root-level code execution on the camera device, achieved by any attacker who can reach the camera's web port.

Discovery

Discovered by Nozomi Networks OT/IoT security researchers, who disclosed the vulnerabilities responsibly and published research documentation on September 17, 2024 alongside the CVE publication.

Exploitation Context

Exploitation in the wild was confirmed prior to CISA's November 4, 2024 KEV addition. PTZ cameras on accessible network segments — particularly those exposed to the internet or reachable from poorly segmented guest or facility networks — were targeted. Mirai-style botnet operators scan for and exploit vulnerable IoT devices for DDoS infrastructure; the root access available via this chain makes compromised cameras useful as persistent network footholds as well. The combination of weak default security posture, infrequent firmware updates, and broad network deployment makes PTZ cameras and similar IoT devices a recurring target in this threat category.

Remediation

1. Update camera firmware to version 6.3.40 or later if available for your model (see the PTZOptics firmware changelog).
2. For end-of-life models with no available patch, replace the device — continued operation of an unpatched root-exploitable network camera represents unacceptable risk.
3. Isolate PTZ cameras on a dedicated VLAN with firewall rules restricting access to authorized operators only; cameras should not be directly internet-accessible.
4. Disable remote web management access from external or untrusted networks.
5. Change default credentials on all PTZ cameras if not already done; disable unused management interfaces.
6. Audit network access logs for unauthorized access to camera web management interfaces.