October 31, 2024 By Bill Toulas
Hackers are attempting to exploit two zero-day vulnerabilities in PTZOptics pan-tilt-zoom (PTZ) live streaming cameras used in industrial, healthcare, business conferences, government, and courtroom settings.
In April 2024, GreyNoise discovered CVE-2024-8956 and CVE-2024-8957 after its AI-powered threat detection tool, Sift, detected unusual activity on its honeypot network that did not match any known threats.
Upon examination of the alert, GreyNoise researchers uncovered an exploit attempt that targeted the camera's CGI-based API and embedded 'ntp_client' aiming to achieve command injection.
A technical deep-dive by GreyNoise researcher Konstantin Lazarev provides more info on the two flaws.
CVE-2024-8956 is a weak authentication problem in the camera's 'lighthttpd' web server, allowing unauthorized users to access the CGI API without an authorization header, which exposes usernames, MD5 password hashes, and network configurations.
CVE-2024-8957 is caused by insufficient input sanitization in the 'ntp. addr' field processed by the 'ntp_client' binary, allowing attackers to use a specially crafted payload to insert commands for remote code execution.
