CVE-2024-8957 is an OS command injection vulnerability identified in PTZOptics PT30X-SDI/NDI-xx cameras running firmware versions prior to 6.3.40. The root cause is improper neutralization of special elements in the ntp_addr configuration parameter, which is used by the ntp_client service to synchronize time. Because the input is not properly sanitized, an attacker can craft malicious input that injects arbitrary commands executed with the privileges of the ntp_client process. This vulnerability is classified under CWE-78, indicating improper neutralization of special elements used in OS commands. The CVSS v3.1 base score is 7.2, reflecting a high severity with network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. Although exploitation requires high privileges (PR:H), chaining this vulnerability with CVE-2024-8956 allows unauthenticated remote attackers to gain arbitrary command execution, significantly increasing the threat scope. The affected devices are commonly deployed in enterprise and broadcast environments for video streaming and surveillance, making them attractive targets for attackers seeking to disrupt operations or gain persistent access. No patches or exploits are publicly documented yet, but the vulnerability’s nature demands urgent attention.

The vulnerability allows attackers to execute arbitrary OS commands on affected PTZOptics cameras, potentially leading to full device compromise. This can result in unauthorized access to video feeds, manipulation or disruption of camera functions, and use of the device as a foothold within the network. Confidentiality is at risk as attackers may intercept or alter video streams. Integrity is compromised because attackers can modify device settings or firmware. Availability may be impacted if attackers disable or crash the device. In environments relying on these cameras for security or broadcasting, exploitation could cause operational disruptions, data breaches, or facilitate lateral movement within the network. The chaining with CVE-2024-8956 further escalates risk by enabling unauthenticated remote exploitation, increasing the attack surface and potential for widespread impact.

1. Immediately update PTZOptics PT30X-SDI/NDI-xx cameras to firmware version 6.3.40 or later once available to address the vulnerability. 2. Until patches are applied, restrict network access to the cameras by implementing network segmentation and firewall rules that limit access to trusted management hosts only. 3. Disable or restrict the ntp_client service if time synchronization is not critical or can be handled externally. 4. Monitor network traffic for unusual patterns or commands targeting the ntp_addr parameter or ntp_client service. 5. Employ strong authentication and access controls on camera management interfaces to prevent unauthorized configuration changes. 6. Conduct regular security audits and vulnerability scans on IoT and video surveillance devices to detect similar issues early. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures for command injection attempts targeting these devices. 8. Maintain an inventory of all PTZOptics devices and ensure they are included in patch management processes.