CVE-2025-35451 Overview
CVE-2025-35451 is a critical vulnerability affecting PTZOptics and other ValueHD-based pan-tilt-zoom (PTZ) cameras that stems from the use of hard-coded, default administrative credentials. These credentials are easily crackable and cannot be changed by users. Additionally, many affected devices have SSH or telnet services listening on all network interfaces, and users are unable to disable these services, creating a significant attack surface for remote compromise.
This vulnerability represents a severe security flaw in IoT/surveillance camera infrastructure commonly deployed in enterprise environments, broadcasting studios, conference rooms, and critical infrastructure facilities. The combination of immutable default credentials and always-on remote access services creates an easily exploitable pathway for attackers to gain full administrative control over affected devices.
Critical Impact
Attackers can gain complete administrative control over affected PTZ cameras using hard-coded credentials that cannot be changed, enabling surveillance manipulation, network pivoting, and persistent unauthorized access.
Affected Products
- PTZOptics PT12x, PT20x, PT30x Series (SDI, NDI, USB, ZCAM variants)
- PTZOptics VL Fixed Camera and NDI Fixed Camera
- Multicam-Systems MCAMii PTZ
- SMTAV BA, BV, BX, and HD17H Series Cameras
- ValueHD VX and V Series Cameras (VX90, VX720L, VX752AG, VX751BA, VX630AL, VX60/61 series, VX70/71 series, V60/61/63 series)
Discovery Timeline
- September 5, 2025 - CVE-2025-35451 published to NVD
- January 14, 2026 - Last updated in NVD database
Technical Details for CVE-2025-35451
Vulnerability Analysis
This vulnerability falls under CWE-798 (Use of Hard-Coded Credentials), a fundamental security design flaw where authentication credentials are embedded directly in device firmware. The affected PTZ cameras ship with administrative credentials that are not only defaulted but cannot be modified by end users, creating a permanent security weakness across all deployed devices.
The situation is compounded by the fact that SSH and telnet services are enabled by default and bound to all network interfaces (0.0.0.0), meaning any device with network connectivity to the camera can attempt authentication. Users have no ability to disable these services through the device's management interface, leaving the administrative services perpetually exposed.
The vulnerability enables network-based attacks without requiring any prior authentication or user interaction. An attacker with network access to an affected camera can authenticate using the known default credentials, gaining full administrative access to the device. This provides high-impact compromise across confidentiality, integrity, and availability of the affected systems.
Root Cause
The root cause is a fundamental design flaw in the firmware architecture where:
- Administrative credentials are hard-coded into the firmware binary
- No mechanism exists for users to change these credentials
- SSH and telnet services are enabled by default on all interfaces
- No user-accessible controls exist to disable remote administration services
The hard-coded passwords are stored in a format that can be readily cracked, meaning the credentials are effectively public knowledge for anyone who analyzes the firmware or reads public disclosure information.
Attack Vector
The attack vector is straightforward network-based authentication using known credentials. An attacker proceeds through these steps:
- Identify exposed PTZ cameras on the network through port scanning (SSH port 22, telnet port 23)
- Attempt authentication using the known hard-coded credentials
- Upon successful authentication, gain root or administrative shell access
- Leverage access for surveillance manipulation, network reconnaissance, or persistent access
Since the credentials cannot be changed and the services cannot be disabled, traditional credential-based mitigations are ineffective. Attackers can compromise devices over the internet if cameras are directly exposed, or from within internal networks if cameras are deployed without proper segmentation.
Detection Methods for CVE-2025-35451
Indicators of Compromise
- Unexpected SSH or telnet connections to PTZ camera devices from internal or external sources
- Authentication events in camera logs from unknown IP addresses
- Changes to camera configurations, presets, or streaming settings without authorized user action
- Network traffic from camera devices to unexpected destinations indicating potential command-and-control activity
Detection Strategies
- Monitor network traffic for SSH (port 22) and telnet (port 23) connections to known PTZ camera IP addresses
- Deploy network-based intrusion detection rules to alert on authentication attempts to camera devices
- Implement host-based logging collection from cameras if supported, focusing on authentication events
- Conduct regular asset inventory scans to identify exposed PTZ cameras with open SSH/telnet ports
Monitoring Recommendations
- Configure SIEM alerts for any successful authentication to PTZ camera devices from non-administrative workstations
- Implement network flow monitoring to detect unusual data exfiltration patterns from camera subnets
- Schedule periodic vulnerability scans targeting IoT and camera segments to identify newly deployed affected devices
- Monitor for firmware update activities or configuration changes on camera devices during non-maintenance windows
How to Mitigate CVE-2025-35451
Immediate Actions Required
- Isolate affected PTZ cameras on dedicated network segments with strict access control lists
- Implement firewall rules blocking SSH and telnet access to cameras from all unauthorized sources
- Conduct asset inventory to identify all deployed PTZOptics, SMTAV, Multicam-Systems, and ValueHD cameras
- Enable logging and monitoring on network devices to detect any unauthorized access attempts to camera systems
- Contact device vendors to request firmware updates that address the hard-coded credential vulnerability
Patch Information
Organizations should consult the CISA ICS Advisory ICSA-25-162-10 for official guidance on affected products and vendor response. The GitHub CSAF repository contains machine-readable vulnerability information for automated security tooling.
At the time of publication, the fundamental design flaw requires firmware updates from affected vendors to properly remediate. Organizations should monitor vendor communications for firmware updates that:
- Allow users to change administrative credentials
- Provide options to disable SSH/telnet services
- Implement secure default configurations
Workarounds
- Place all affected cameras behind network firewalls that block all inbound SSH and telnet traffic
- Implement network segmentation isolating camera infrastructure from general corporate networks and the internet
- Deploy network access control (NAC) solutions to restrict which devices can communicate with camera systems
- Use VPN or jump host architectures requiring strong authentication before accessing camera management networks
# Example firewall rules to block SSH/telnet access to PTZ cameras
# Replace 192.168.10.0/24 with your camera subnet
# iptables - Block SSH to camera subnet
iptables -A FORWARD -d 192.168.10.0/24 -p tcp --dport 22 -j DROP
# iptables - Block telnet to camera subnet
iptables -A FORWARD -d 192.168.10.0/24 -p tcp --dport 23 -j DROP
# Allow only from specific management host (e.g., 192.168.1.100)
iptables -A FORWARD -s 192.168.1.100 -d 192.168.10.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -s 192.168.1.100 -d 192.168.10.0/24 -p tcp --dport 23 -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
