Known Vulnerabilities & Fixes
As part of our commitment to our customers’ privacy and the security of our products, PTZOptics will share quarterly updates on known vulnerabilities to our cameras and software, the measures we’ve taken to solve these issues, and how customers can implement necessary changes or updates. We strive to constantly improve the quality and security of our products and welcome user input on where these vulnerabilities might exist.
Q1 2025 Update
The PTZOptics team was alerted by VulnCheck, Inc. to three potential security vulnerabilities in the firmware of our G2 30x SDI/NDI camera as noted in Common Vulnerabilities and Exposures report CVE-2024-8956 and CVE-2024-8957. The identified vulnerabilities that, when used in combination with each other, could potentially allow unauthorized access to sensitive information and control over the cameras. The PTZOptics team tested this vulnerability against every PTZOptics device and we patched all those affected.
The Vulnerabilities Identified
- Insufficient Authentication – Some API routes in our cameras were not protected by authentication, potentially exposing network and login information.
- Remote File Write – Certain API commands allowed direct modification of files on the camera, posing a risk of unauthorized changes to the camera’s operating files.
- Remote Code Execution – A flaw in the Network Time Protocol configuration API allowed unauthorized users to run applications on the camera, potentially compromising the entire file system.
Our Response
We have now enforced authentication across all API routes and web pages. To address the remote file write issue, users must provide administrative credentials to modify any configuration files on the camera. This ensures only authorized users can change the camera’s settings, safeguarding against unauthorized modifications to the underlying camera configuration files. Regarding the remote code execution issue, we have patched the relevant API and processes to prevent remote code execution. Since being alerted to these vulnerabilities, we have produced firmware updates that address these issues. To ensure the security of PTZOptics cameras, updating the firmware on G2 and G3 cameras is recommended. Detailed instructions for applying the updates are provided on our knowledge base and through our customer support channels.
Please refer to the table below to ensure the firmware for your specific product(s) is updated.
Product | Previous Firmware | CVE/PSTI Approved Firmware |
---|---|---|
PT12X-4K-xx-G3 | 0.0.46 | 0.0.58 |
PT20X-4K-xx-G3 | 0.0.73 | 0.0.85 |
PT30X-4K-xx-G3 | 2.0.48 | 2.0.64 |
PT12X-SE-xx-G3 | 9.1.35 | 9.1.43 |
PT20X-SE-xx-G3 | 9.1.26 | 9.1.32 |
PT30X-SE-xx-G3 | 9.1.24 | 9.1.33 |
PT12X-LINK-4K-xx | 0.0.48 | 0.0.63 |
PT20X-LINK-4K-xx | 0.0.75 | 0.0.89 |
PT30X-LINK-4K-xx | 2.0.50 | 2.0.71 |
PT-STUDIOPRO | 9.0.39 | 9.0.41 |
PT12X-STUDIO-4K-xx-G3 | 8.1.82 | 8.1.90 |
PT20X-STUDIO-4K-xx-G3 | 8.1.83 | 8.1.90 |
PT12X-SDI/NDI-xx | 6.3.62 | 6.3.70 |
PT12X-USB-xx | 6.2.81 | 6.2.88 |
PT20X-SDI/NDI-xx | 6.3.22 | 6.3.27 |
PT20X-USB-xx | 6.2.73 | 6.2.81 |
PT30X-SDI/NDI-xx | 6.3.32 | 6.3.43 |
VL Fixed Camera/NDI Fixed Camera | 7.2.83 | 7.2.94 |
12x Fixed Camera/NDI Fixed Camera | 7.2.80 | 7.2.85 |
20x Fixed Camera/NDI Fixed Camera | 7.2.89 | 7.2.94 |
EPTZ Fixed Camera/NDI Fixed Camera | 8.1.83 | 8.1.89 |
HC-EPTZ-NDI | 8.2.08 | 8.2.14 |