CVE-2025-35451
📋 TL;DR
This vulnerability affects PTZOptics and other ValueHD-based pan-tilt-zoom cameras that use hard-coded default administrative credentials that cannot be changed by users. Attackers can easily crack these passwords and gain administrative access to cameras with SSH or telnet services exposed on all interfaces. Organizations using these cameras for surveillance or live streaming are affected.
💻 Affected Systems
- PTZOptics cameras
- Other ValueHD-based pan-tilt-zoom cameras
📦 What is this software?
Mcamii Ptz Firmware by Multicam Systems
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of camera systems leading to unauthorized video surveillance, camera manipulation, lateral movement into internal networks, and potential ransomware deployment across connected systems.
Likely Case
Unauthorized access to camera feeds, camera control hijacking, video stream interception, and use as foothold for further network attacks.
If Mitigated
Limited impact if cameras are properly segmented and access controls prevent network traversal, though cameras remain vulnerable to direct attacks.
🎯 Exploit Status
Exploitation requires credential cracking but uses weak/default passwords. SSH/telnet services are often exposed by default.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-10
Restart Required: No
Instructions:
No official patch available. Follow vendor guidance and implement workarounds.
🔧 Temporary Workarounds
Network segmentation and access control
allIsolate cameras in separate VLANs and restrict network access using firewall rules
Disable unnecessary services
allIf possible, disable SSH and telnet services through camera management interface
🧯 If You Can't Patch
- Physically isolate cameras from critical networks and internet access
- Implement strict network monitoring and alerting for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check if camera uses default credentials by attempting SSH/telnet login with common default passwords. Verify if SSH/telnet services are listening on all interfaces using nmap or similar tools.Check Version:
Check camera firmware version through web interface or SSH if accessibleVerify Fix Applied:
Verify network segmentation prevents external access. Confirm SSH/telnet services are not accessible from untrusted networks.📡 Detection & Monitoring
Log Indicators:
- Failed SSH/telnet login attempts
- Successful logins from unexpected IPs
- Multiple authentication attempts
Network Indicators:
- SSH/telnet connections to camera IPs from external networks
- Unusual outbound traffic from cameras
SIEM Query:
source_ip IN (camera_ips) AND (port=22 OR port=23) AND action=success🔗 References
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-162-10.json
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-10
- https://www.cve.org/CVERecord?id=CVE-2025-35451
- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai
- https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/
