CVE-2025-35451 is a critical vulnerability affecting PTZOptics PT12X-SE-xx-G3 pan-tilt-zoom (PTZ) cameras, which are based on ValueHD technology. The core issue is the use of hard-coded, default administrative credentials embedded in the device firmware. These credentials are static, cannot be changed by the user, and are easily crackable. Furthermore, many of these cameras have SSH and telnet services enabled and listening on all network interfaces by default. Neither the SSH nor the telnet services can be disabled by the user, which significantly increases the attack surface. This vulnerability falls under CWE-798 (Use of Hard-coded Credentials), which is a well-known security weakness that allows attackers to gain unauthorized access to devices. The CVSS v3.1 score of 9.8 (critical) reflects the high impact and ease of exploitation: the vulnerability can be exploited remotely over the network without any authentication or user interaction, leading to full compromise of confidentiality, integrity, and availability of the device. Attackers who successfully exploit this vulnerability can take full control of the camera, potentially intercept video streams, manipulate camera controls, or use the device as a foothold for lateral movement within a network. The inability to change credentials or disable remote access services means that mitigation options are limited and require network-level controls or device replacement. No patches or firmware updates are currently available, and no known exploits are reported in the wild yet, but the severity and ease of exploitation make this a significant threat to organizations using these cameras.

For European organizations, this vulnerability poses a substantial risk, especially for those deploying PTZOptics PT12X-SE-xx-G3 cameras in sensitive environments such as corporate offices, government buildings, critical infrastructure, and public venues. Compromise of these cameras can lead to unauthorized surveillance, privacy violations, and exposure of sensitive video feeds. Attackers could also leverage compromised cameras as entry points into internal networks, facilitating further attacks such as data exfiltration, ransomware deployment, or disruption of operations. The persistent presence of SSH and telnet services with unchangeable credentials increases the likelihood of automated scanning and exploitation by threat actors. Given the criticality of video surveillance in security operations, any disruption or manipulation could degrade situational awareness and incident response capabilities. Additionally, the inability to disable these services or change credentials complicates incident response and remediation efforts, potentially leading to prolonged exposure and increased operational risk.

Since no patches or firmware updates are currently available to address the hard-coded credentials or disable remote access services, European organizations should implement compensating controls immediately. These include: 1) Network segmentation: Isolate PTZOptics cameras on dedicated VLANs or network segments with strict access controls to limit exposure to trusted management hosts only. 2) Firewall rules: Block inbound and outbound SSH and telnet traffic to and from the cameras at network perimeter and internal firewalls, allowing only authorized management IP addresses if remote access is necessary. 3) Network monitoring: Deploy intrusion detection/prevention systems (IDS/IPS) to detect and alert on suspicious SSH/telnet connection attempts or brute force activities targeting these devices. 4) Device replacement: Plan for the replacement of vulnerable cameras with models that allow credential management and service configuration. 5) Physical security: Ensure physical access to cameras is restricted to prevent local exploitation or tampering. 6) Vendor engagement: Engage with PTZOptics and ValueHD to demand firmware updates or patches that allow credential changes and service disabling. 7) Incident response readiness: Prepare for potential compromise by establishing monitoring and response procedures specific to camera devices. These mitigations go beyond generic advice by focusing on network-level controls and operational strategies tailored to the unique constraints of this vulnerability.