MidnightBSD

Advisories for ptzoptics

CVE-2024-8956

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
ptzoptics pt30x-ndi-xx-g2_firmware *
ptzoptics pt30x-sdi_firmware *
CVE-2024-8957

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
ptzoptics pt30x-ndi-xx-g2_firmware *
ptzoptics pt30x-sdi_firmware *
CVE-2025-35451

PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use hard-coded, default administrative credentials. The passwords can readily be cracked. Many cameras have SSH or telnet listening on all interfaces. The passwords cannot be changed by the user, nor can the SSH or telnet service be disabled by the user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ptzoptics pt30x-ndi-xx_firmware *
valuehd vx61asl_firmware *
smtav ba12-n_firmware *
valuehd vx60asl_firmware *
valuehd v61w_firmware *
ptzoptics pt20x-ndi-xx_firmware *
valuehd vx61al_firmware *
valuehd vx701ra_firmware *
smtav bx20n_firmware *
ptzoptics pt12x-sdi-xx-g2_firmware *
valuehd vx61basl_firmware *
ptzoptics vl_fixed_camera_firmware *
ptzoptics ndi_fixed_camera_firmware *
ptzoptics pteptz-ndi-zcam-g2_firmware *
valuehd vx630al_firmware *
smtav ba12s_firmware *
valuehd vx701ta_firmware *
ptzoptics ptvl-zcam_firmware *
ptzoptics pteptz-zcam-g2_firmware *
smtav ba30s_firmware *
valuehd v60xl_firmware *
smtav ba20-n_firmware *
valuehd vx60al_firmware *
valuehd vx720l_firmware *
smtav ba20s_firmware *
smtav ba30-n_firmware *
smtav bx20uhd-n_firmware *
smtav bx20uhd_firmware *
ptzoptics pt20x-usb-xx-g2_firmware *
valuehd vx752ag_firmware *
valuehd vx70uvs_firmware *
ptzoptics pt20x-zcam_firmware *
ptzoptics pt12x-zcam_firmware *
multicam-systems mcamii_ptz_firmware *
valuehd vx752a_firmware *
smtav bx30s_firmware *
smtav hd17h_firmware *
smtav hd17h-n_firmware *
smtav bx20s-sh_firmware *
valuehd v63xl_firmware *
valuehd v71uvs_firmware *
valuehd vx751ba_firmware *
ptzoptics pt12x-ndi-xx_firmware *
ptzoptics pt30x-sdi-xx-g2_firmware *
smtav bv20s_firmware *
ptzoptics pt12x-usb-xx-g2_firmware *
valuehd vx90_firmware *
ptzoptics pt20x-sdi-xx-g2_firmware *
valuehd vx800i2_firmware *
valuehd vx71uvs_firmware *
smtav bv30s_firmware *
CVE-2025-35452

PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
valuehd vx61asl_firmware *
ptzoptics ptvl-zcam_firmware -
smtav ba12-n_firmware *
valuehd vx60asl_firmware *
ptzoptics pt20x-4k-xx-g3_firmware *
ptzoptics pt30x-4k-xx-g3_firmware *
valuehd v61w_firmware *
valuehd vx61al_firmware *
valuehd vx701ra_firmware *
smtav bx20n_firmware *
valuehd vx61basl_firmware *
ptzoptics pt30x-ndi-xx_firmware -
ptzoptics vl_fixed_camera_firmware *
ptzoptics ndi_fixed_camera_firmware *
valuehd vx630al_firmware *
ptzoptics pt20x-usb-xx-g2_firmware -
ptzoptics pt-studiopro_firmware *
smtav ba12s_firmware *
ptzoptics pt20x-link-4k-xx_firmware *
ptzoptics pt12x-usb-xx-g2_firmware -
ptzoptics pt20x-se-xx-g3_firmware *
valuehd vx701ta_firmware *
smtav ba30s_firmware *
valuehd v60xl_firmware *
smtav ba20-n_firmware *
ptzoptics pt12x-ndi-xx_firmware -
ptzoptics pt12x-link-4k-xx_firmware *
valuehd vx60al_firmware *
valuehd vx720l_firmware *
smtav ba20s_firmware *
smtav ba30-n_firmware *
smtav bx20uhd-n_firmware *
ptzoptics pt12x-se-xx-g3_firmware *
smtav bx20uhd_firmware *
valuehd vx752ag_firmware *
valuehd vx70uvs_firmware *
ptzoptics pt30x-sdi-xx-g2_firmware -
ptzoptics pt12x-zcam_firmware -
multicam-systems mcamii_ptz_firmware *
ptzoptics pt12x-sdi-xx-g2_firmware -
valuehd vx752a_firmware *
smtav bx30s_firmware *
smtav hd17h_firmware *
ptzoptics pt20x-sdi-xx-g2_firmware -
smtav hd17h-n_firmware *
smtav bx20s-sh_firmware *
valuehd v63xl_firmware *
valuehd v71uvs_firmware *
ptzoptics pt30x-se-xx-g3_firmware *
ptzoptics pt20x-zcam_firmware -
valuehd vx751ba_firmware *
ptzoptics pt30x-link-4k-xx_firmware *
smtav bv20s_firmware *
valuehd vx90_firmware *
ptzoptics pt12x-4k-xx-g3_firmware *
ptzoptics pteptz-ndi-zcam-g2 -
ptzoptics pteptz-zcam-g2_firmware -
valuehd vx800i2_firmware *
valuehd vx71uvs_firmware *
ptzoptics t20x-ndi-xx_firmware -
smtav bv30s_firmware *