CVE-2024-8957 HIGH

CVE-2024-8957: PTZOptics NDI and SDI Cameras Command Injection via NTP Address Configuration

Vendor Ptzoptics

Product PT30X-SDI

Weakness CWE-78

KEV Status Known Exploited

Published September 17, 2024

Last update December 27, 2025

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

September 17, 2024 CVE published

December 27, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-8957 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html CISA KEV Reference https://ptzoptics.com/firmware-changelog/ CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2024-8957

Related vulnerabilities

Identifiers

CVE CVE-2024-8957

CWE CWE-78

CVSS 7.2 / HIGH

Affected versions

Vendor Ptzoptics

Product PT30X-SDI

Affected < 6.3.40

Vendor Ptzoptics

Product PT30X-NDI

Affected < 6.3.40

CVE-2024-8957: PTZOptics NDI and SDI Cameras Command Injection via NTP Address Configuration

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE