Critical PTZ Camera Vulnerabilities: Protect Your Network from Exploits

The security landscape of networked pan-tilt-zoom (PTZ) cameras—crucial components in business, government, healthcare, and critical infrastructure—has come under renewed scrutiny following the discovery of a series of critical, remotely exploitable vulnerabilities affecting PTZOptics cameras as well as models from ValueHD, SMTAV, and multiCAM Systems. These flaws, now tracked in the public domain under high-severity CVEs with base scores soaring as high as 9.8 (CVSS v3) and 9.3 (CVSS v4), expose an array of attack vectors—from improper authentication and OS command injection to the longstanding peril of hard-coded credentials. As authorities such as CISA sound the alarm and affected vendors implement (or fail to implement) mitigating patches, organizations relying on these devices must urgently reevaluate the balance between camera functionality, network exposure, and a rapidly evolving threat model.

Understanding the Stakes: Why PTZ Camera Vulnerabilities Matter​

PTZ cameras are valued for their versatility, with remote pan, tilt, and zoom capabilities making them staples for environments ranging from corporate boardrooms and lecture halls to industrial facilities and public venues. Their connectivity—once the key to integration and centralized control—has instead transformed them into attractive entry points for threat actors, especially when the underlying firmware and authentication paradigms fail to keep pace with modern security expectations.
Attackers leveraging vulnerabilities in these cameras could do far more than interrupt surveillance. In critical infrastructure and government deployments, compromised PTZ cameras may become hidden footholds for espionage, data exfiltration, or pivoting deeper into privileged networks. The consequences of such breaches echo beyond privacy concerns into potential operational disruptions, regulatory liabilities, and damage to organizational trust.

Executive Summary: Latest Disclosures and Severity​

In early June, an ICS advisory (ICSA-25-162-10) was issued by CISA spotlighting vulnerabilities grouped under multiple CVE identifiers including:

• CVE-2025-35451: Hard-coded OS/telnet credentials, cannot be changed or disabled.
• CVE-2025-35452: Hard-coded web admin credentials, patched only in latest production firmware.
• CVE-2024-8956: Improper authentication on key management endpoints, enabling data leaks and unauthorized configuration changes.
• CVE-2024-8957: OS command injection via improperly sanitized configuration parameters.

The CVSS v4 base scores (ranging 8.6 to 9.3) underscore the risk's gravity—low attack complexity, no user interaction, and remote exploitation potential.
Vulnerable Vendors/Products:

• PTZOptics (numerous models and firmware)
• SMTAV (all PTZ cameras)
• multiCAM Systems (all PTZ cameras)
• ValueHD (all PTZ cameras)

Sectors at Risk:
Commercial facilities, critical manufacturing, healthcare, government, and public services across global deployments.

Deep Dive: Technical Analysis of Core Vulnerabilities​

Improper Authentication (CWE-287, CVE-2024-8956)​

A hallmark of insecure by design, certain PTZOptics firmware (notably PT30X-SDI/NDI series prior to 6.3.40) does not enforce HTTP authentication for /cgi-bin/param.cgi. Attackers can send unauthenticated requests to extract sensitive data—usernames, hashed passwords, configurations—and even overwrite configuration files without leaving a trace. The risk escalates further when attackers pair this vector with command injection flaws, laying a foundation for full remote compromise.

• CVSS v3 base score: 9.1
• CVSS v4 base score: 9.3
• Exploitability: Remote, no authentication, no user interaction

OS Command Injection (CWE-78, CVE-2024-8957)​

Another critical flaw lies in the unsanitized handling of the ntp_addr parameter. By inputting a maliciously crafted value, authenticated attackers (and unauthenticated attackers when chained with the prior flaw) can execute arbitrary system commands with high privileges on the device OS. This can facilitate persistence, lateral movement, or establish the camera as a botnet node.

• CVSS v3 base score: 7.2
• CVSS v4 base score: 8.6

Hard-coded Credentials for OS/Telnet (CWE-798, CVE-2025-35451)​

Perhaps the most egregious and persistent vulnerability across ValueHD-based designs—including PTZOptics and others—is the use of fixed, default account credentials (including root) for the underlying Linux host OS and network management services (SSH/telnet). Neither the password nor the services can be disabled via the official UI, eliminating any practical recourse for administrators until the vendor provides a fix.

• CVSS v3 base score: 9.8
• CVSS v4 base score: 9.2

Hard-coded Web Admin Credentials (CWE-798, CVE-2025-35452)​

Similar to the OS-level flaw, this issue involves a shared web management password embedded into camera firmware and used across entire product lines. Attackers who obtain or guess this password can bypass normal authentication to access sensitive camera functions. While PTZOptics has patched this in newer firmware, other vendors have left the issue unresolved.

• CVSS v3 base score: 9.8
• CVSS v4 base score: 9.2

Product and Firmware Impact Assessment​

PTZOptics​

The wide prevalence of these flaws in PTZOptics portfolio is deeply concerning. Affected models span SDI, NDI, USB, ZCAM, STUDI PRO, LINK 4K, SE, and more—potentially implicating thousands of devices worldwide. Firmware versions preceding mid-2025 are all considered vulnerable for the most severe flaws. Firmware updates resolving these issues are now available for download directly from the PTZOptics site, but require immediate application to be effective.

ValueHD, SMTAV, and multiCAM Systems​

All referenced PTZ camera models from these vendors remain at risk, with no direct patch or mitigating guidance publicly available as of the latest disclosure. These vendors have not engaged with CISA or independently published security advisories, raising questions regarding their ongoing commitment to vulnerability management. If your organization uses cameras from these manufacturers, extreme caution and additional network segmentation are prudent.

Deployment Footprint​

PTZ cameras produced by these vendors are widely deployed not only in conventional security and conference settings, but also in:

• Critical manufacturing assets (e.g., industrial robots, control rooms)
• Government administrative and defense facilities
• Healthcare premises (including patient monitoring and telemedicine)
• Commercial venues and event production

Given their integration with physical security controls and sensitive IT networks, unpatched units can create a backdoor across various high-trust environments.

Critical Analysis: Strengths, Weaknesses, and Real-World Consequences​

Vendor Response and Patch Deployment​

PTZOptics’ willingness to swiftly publish fixes for its own products represents a positive, though long overdue, step forward. The availability of firmware updates—paired with well-documented CVEs and public advisories via CISA—sets a standard for what responsible disclosure and coordinated response should look like in the IoT space.
However, this is tempered by severe weaknesses across the sector:

• Patch Gaps and Vendor Silence: ValueHD, SMTAV, and multiCAM Systems have failed to acknowledge, let alone address, the highlighted vulnerabilities. This non-responsiveness leaves security teams with no option but to isolate these cameras or replace them entirely.
• Legacy and Third-Party Supply Chains: Many PTZ cameras are rebadged or platform-shared products, creating the risk that similar vulnerabilities persist, undocumented, in other branded units—especially in the case of OEMs leveraging ValueHD components or firmware.
• Default Credential Peril: Continued reliance on hard-coded or shared passwords harks back to the darkest days of insecure IoT—an unacceptable practice in 2025. CISA guidance and best industry practices have, for years, warned of the threat posed by credential reuse and administrative access left unchanged.
• Authentication Lapses: The improper enforcement of authentication on sensitive endpoints is neither new nor subtle. Such oversight indicates a lack of rigorous security review and penetration testing during the firmware development lifecycle.

Exploitation in the Wild​

As of the time of writing, no confirmed public exploitation has been directly associated with these vulnerabilities. Nonetheless, the trivial nature of the required attack—remote, unauthenticated, and scriptable—means that adversarial interest is likely to escalate rapidly following disclosure. Cybercriminals seeking to target surveillance assets, gain insider views, or establish persistent footholds can automate exploitation at scale using open-source scanning tools.

Potential for Supply Chain and Lateral Attack​

Even in the absence of a direct breach, the presence of hard-coded credentials and weak endpoint verification enables advanced threats to conceal malware, launch DDoS attacks (as seen historically in IoT botnets like Mirai), or facilitate targeted espionage deep within organizational networks. Cameras become a kinetic liability—windows both into physical space and digital systems if not robustly segmented.

Recommended Mitigations and Strategic Takeaways​

Patching and Firmware Management​

• PTZOptics Users: Immediately consult the PTZOptics vulnerabilities and fixes page to download and install the requisite firmware updates for all affected devices. Do not delay, as unpatched units remain trivially exploitable.
• Other Vendors: For ValueHD, SMTAV, and multiCAM Systems cameras, monitor vendor communications, consult CISA, and consider replacing vulnerable units if patching is not forthcoming. Directly contacting vendors through their published support channels is prudent, though success is not guaranteed.

Network Hardening and Access Controls​

Security experts and CISA urge the following best practices, especially where vendor patches are unavailable or incomplete:

• Isolate Camera Networks: Ensure all cameras operate on a segregated VLAN or physically separate network, never directly accessible from internet-facing segments or business-critical systems.
• Restrict Remote Access: Disable unnecessary remote access services (SSH, telnet) wherever possible; when required, enforce strict firewall rules, limit to whitelisted IPs, and use VPN with multifactor authentication.
• Remove Default Credentials: Where permitted by the firmware, urgently change all default passwords and enforce unique, strong credentials for web and OS access. Document any inability to change passwords as a justification for decommissioning devices.
• Monitor for Anomalies: Integrate camera traffic with your SIEM (Security Information and Event Management) systems, and alert on unauthorized access attempts, unexpected configuration changes, or outbound connections.

Organizational Policy​

• Procurement and Lifecycle Management: Update procurement policies to require vendor security transparency, rapid patch cycles, and well-documented disclosure practices. At end-of-life, rigorously sanitize all devices to eliminate credential reuse.
• Incident Response Planning: Prepare for the eventuality of camera compromise—have response playbooks, isolate compromised segments, and coordinate with CISA and law enforcement where critical infrastructure or regulated data is at stake.

The Road Ahead: Securing the Connected Camera Ecosystem​

The vulnerabilities disclosed in PTZOptics, ValueHD, SMTAV, and multiCAM Systems PTZ cameras are a sobering reminder of the IoT security debt that continues to accumulate across connected products. While some vendors—prompted by regulatory pressure and brand risk—are moving to remediate, a significant gap remains in the wider industry’s approach to authenticated access, patch responsiveness, and end-user control over device security settings.
For leaders in manufacturing, healthcare, government, and commercial sectors, the takeaway is clear: complacency is not an option. The bar for deploying internet-connected cameras must now include:

• Mandatory firmware and security patching as a procurement and operational requirement
• Zero tolerance for hard-coded or default credentials
• Strong network segmentation and minimal exposure to public or untrusted networks
• A willingness to demand more from vendors—or to walk away when those demands are not met

As IoT and smart surveillance become further entwined in organizational operations, continuous, proactive security review is imperative—not just for the protection of digital assets, but to maintain trust in the very systems meant to provide oversight and safety.

Resources for Further Action​

• PTZOptics Known Vulnerabilities and Fixes
• CISA ICS Security Resources
• CISA Cybersecurity Best Practices for ICS
• CISA Defense-in-Depth Strategies
• Vendor Contact for ValueHD
• Vendor Contact for SMTAV
• Vendor Contact for multiCAM Systems

Organizational vigilance—driven by continuous assessment, demanding more from device manufacturers, and implementing layered network defenses—remains the strongest countermeasure in a landscape where connected cameras are both essential tools and, all too often, silent liabilities.

---

Source: CISA PTZOptics and Other Pan-Tilt-Zoom Cameras | CISA