CVE-2024-8956: PTZOptics PT30X-SDI Auth Bypass Flaw

CVE-2024-8956 Overview

CVE-2024-8956 is an insufficient authentication vulnerability in PTZOptics PT30X-SDI and PT30X-NDI pan-tilt-zoom cameras running firmware versions before 6.3.40. The camera fails to enforce authentication on the /cgi-bin/param.cgi endpoint when HTTP requests omit the Authorization header. Unauthenticated remote attackers can read sensitive configuration data, including usernames and password hashes, and write new configuration values. CISA has added this CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

Critical Impact

Remote unauthenticated attackers can extract credential hashes and rewrite device configuration on internet-exposed PTZOptics cameras, enabling full device takeover and potential pivot into broadcast and conferencing networks.

Affected Products

• PTZOptics PT30X-SDI firmware versions prior to 6.3.40
• PTZOptics PT30X-NDI-xx-G2 firmware versions prior to 6.3.40
• PTZOptics PT30X-SDI and PT30X-NDI-xx-G2 hardware models running affected firmware

Discovery Timeline

• 2024-09-17 - CVE-2024-8956 published to NVD
• 2025-10-27 - Last updated in NVD database

Technical Details for CVE-2024-8956

Vulnerability Analysis

The vulnerability is classified under [CWE-306] Missing Authentication for Critical Function and [CWE-287] Improper Authentication. The affected endpoint /cgi-bin/param.cgi handles device configuration parameters on PTZOptics cameras. The CGI handler conditionally validates credentials only when the inbound HTTP request includes an Authorization header. Requests sent without that header bypass the authentication check entirely and reach the parameter parser as if issued by an authenticated administrator.

This design flaw exposes both read and write paths on the configuration interface. Attackers can query individual parameters, dump the complete configuration file, or push new values to attributes such as administrator credentials, network settings, and stream endpoints. Because PTZOptics cameras are commonly deployed in conference rooms, courtrooms, houses of worship, and broadcast studios, compromised devices can be repurposed for surveillance, lateral movement, or as a foothold inside otherwise segmented networks.

Root Cause

The /cgi-bin/param.cgi handler treats the absence of an Authorization header as an implicit trust condition rather than a failure case. Authentication logic short-circuits before credential evaluation, granting read and write access to anyone who can reach the camera over the network.

Attack Vector

Exploitation requires only network reachability to the camera's web management interface, typically TCP port 80 or 443. An attacker sends an HTTP request to /cgi-bin/param.cgi without an Authorization header. The camera returns sensitive parameters in the response body. A follow-up request supplying configuration write parameters in the query string or POST body modifies device state. No user interaction or prior credentials are required.

The vulnerability is described in the VulnCheck Advisory for PTZOptics and the GreyNoise Blog on Zero-Day Vulnerabilities, which documents in-the-wild scanning and exploitation activity.

Detection Methods for CVE-2024-8956

Indicators of Compromise

• HTTP GET or POST requests to /cgi-bin/param.cgi that arrive without an Authorization header from external or untrusted source addresses
• Unexpected changes to camera administrator credentials, network configuration, or RTSP stream targets
• Outbound connections from PTZOptics cameras to addresses that do not match approved streaming or NTP destinations
• Camera firmware version reporting below 6.3.40 on devices reachable from untrusted networks

Detection Strategies

• Inspect web server access logs on PTZOptics cameras and upstream reverse proxies for requests to /cgi-bin/param.cgi lacking authentication headers
• Correlate scan activity reported by threat intelligence sources such as the GreyNoise Grimoire for SIFT RCE with internal firewall logs to identify probes against camera management interfaces
• Baseline camera configuration files and alert on unauthorized parameter changes

Monitoring Recommendations

• Continuously enumerate PTZOptics devices in asset inventory and track firmware versions against the 6.3.40 baseline
• Monitor network egress from camera VLANs for anomalous destinations or protocols
• Forward camera and proxy logs to a centralized analytics platform to detect bulk parameter enumeration patterns

How to Mitigate CVE-2024-8956

Immediate Actions Required

• Upgrade PTZOptics PT30X-SDI and PT30X-NDI-xx-G2 firmware to version 6.3.40 or later using the official update procedure
• Remove cameras from direct internet exposure and restrict management access to a dedicated administrative VLAN
• Rotate all camera credentials and review configuration files for unauthorized changes after patching
• Treat any pre-patch internet-exposed device as potentially compromised and apply incident response procedures

Patch Information

PTZOptics released firmware version 6.3.40 to address the missing authentication check on /cgi-bin/param.cgi. Patch details and download links are available in the PTZOptics Firmware Changelog. Federal agencies and KEV-aligned organizations should follow the remediation deadline tracked in the CISA Known Exploited Vulnerabilities catalog.

Workarounds

• Place cameras behind an authenticating reverse proxy that strips or rejects requests missing valid Authorization headers
• Apply firewall ACLs to block inbound traffic to camera HTTP and HTTPS ports from untrusted networks
• Disable remote management features when not required and limit access to specific administrator workstations

# Example firewall rule restricting camera management to an admin subnet
iptables -A FORWARD -s 10.10.50.0/24 -d 10.20.30.40 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 10.20.30.40 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 10.20.30.40 -p tcp --dport 443 -j DROP