Critical Zero-Day Vulnerabilities Found in PTZ Cameras: Hackers on the Prowl

October 31, 2024

Hackers are capitalizing on two zero-day vulnerabilities found in PTZOptics pan-tilt-zoom (PTZ) live streaming cameras. These cameras are used in a variety of settings, including industrial, healthcare, business conferences, government, and courtrooms. The vulnerabilities were discovered by GreyNoise in April 2024, when its AI-powered threat detection tool, Sift, picked up unusual activity on its honeypot network. This activity did not match any known threats, leading to further investigation. The vulnerabilities were identified as CVE-2024-8956 and CVE-2024-8957.

CVE-2024-8956 is a weak authentication issue in the camera's 'lighthttpd' web server. This allows unauthorized users to access the CGI API without an authorization header, exposing usernames, MD5 password hashes, and network configurations. CVE-2024-8957, on the other hand, is due to insufficient input sanitization in the 'ntp. addr' field processed by the 'ntp_client' binary. Attackers can use a specially crafted payload to insert commands for remote code execution.

Upon exploitation, these vulnerabilities could result in complete camera takeover, infection with bots, pivoting to other devices connected on the same network, or disruption of video feeds. Although the source of the initial activity went silent shortly after the honeypot attacks, a separate attempt using wget to download a shell script for reverse shell access was observed in June.

In response to the discovery of CVE-2024-8956 and CVE-2024-8957, GreyNoise coordinated a responsible disclosure to affected vendors. The devices impacted by these vulnerabilities are NDI-enabled cameras based on Hisilicon Hi3516A V600 SoC V60, V61, and V63, which run VHD PTZ camera firmware versions older than 6.3.40. This includes models from PTZOptics, Multicam Systems SAS cameras, and SMTAV Corporation devices.

PTZOptics released a security update on September 17. However, models like the PT20X-NDI-G2 and PT12X-NDI-G2 did not receive a firmware update due to having reached end-of-life. GreyNoise later found that at least two newer models, PT20X-SE-NDI-G3, and PT30X-SE-NDI-G3, which also didn't receive a patch, were affected as well. PTZOptics was notified about the expanded scope on October 25, but no fixes for these models have been released as of writing.

GreyNoise expressed to media that the flaws likely affect a broad range of camera models. "We (strongly) believe that a wider range of devices is affected, potentially indicating that the actual culprit lies within the SDK the manufacturer (ValueHD / VHD Corporation) uses," GreyNoise stated. Users should check with their device vendor to see if fixes for CVE-2024-8956 and CVE-2024-8957 have been incorporated in the latest available firmware update for their devices.

Latest News

• Critical Authentication Vulnerabilities Threaten Smart Factory Equipment
• High-Severity Flaw in LiteSpeed Cache WordPress Plugin Allows Admin Access to Hackers
• Enhanced LightSpy Spyware Targets iPhones with Advanced Surveillance and Destructive Features
• Google Addresses Critical Vulnerability in Chrome Browser
• Persistent Windows Vulnerability Could Leak User Credentials: Zero-Day Exploit Allows NTLM Hash Theft