CVE-2025-35452
📋 TL;DR
This vulnerability allows attackers to access PTZOptics and other ValueHD-based pan-tilt-zoom cameras using default, shared administrative credentials. Attackers can gain full control of affected cameras, potentially compromising video feeds and device functionality. Organizations using these cameras with default configurations are at risk.
💻 Affected Systems
- PTZOptics cameras
- Other ValueHD-based pan-tilt-zoom cameras
📦 What is this software?
Mcamii Ptz Firmware by Multicam Systems
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of cameras, enabling them to view/manipulate video feeds, disable cameras, pivot to internal networks, or install persistent malware.
Likely Case
Unauthorized access to camera administrative interfaces leading to surveillance compromise, configuration changes, or denial of service.
If Mitigated
Limited impact if cameras are isolated, credentials changed, and access restricted.
🎯 Exploit Status
Exploitation requires only knowledge of default credentials, which are shared across devices.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not applicable
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-10
Restart Required: No
Instructions:
No official patch exists. Follow CISA advisory recommendations: change default credentials if possible, isolate cameras, and monitor for unauthorized access.
🔧 Temporary Workarounds
Change Default Credentials
allChange administrative passwords from factory defaults to strong, unique credentials.
Login to camera web interface > Administration > Change Password
Network Segmentation
allIsolate cameras on separate VLANs with strict firewall rules.
Configure network switches/routers to place cameras on isolated VLAN
🧯 If You Can't Patch
- Segment cameras from critical networks using firewalls
- Implement network access control to restrict administrative interface access
🔍 How to Verify
Check if Vulnerable:
Attempt to access camera web interface using default credentials (check vendor documentation for defaults).Check Version:
Check firmware version in camera web interface > System InformationVerify Fix Applied:
Verify new credentials work and default credentials no longer provide access.📡 Detection & Monitoring
Log Indicators:
- Failed login attempts from unknown IPs
- Successful logins from unexpected locations/times
- Configuration changes from unauthorized users
Network Indicators:
- Unusual traffic to camera administrative ports (typically 80, 443, 8080)
- Traffic from suspicious IPs to camera interfaces
SIEM Query:
source_ip IN (suspicious_ips) AND dest_port IN (80,443,8080) AND url_path CONTAINS "/admin"🔗 References
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-162-10.json
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-10
- https://www.cve.org/CVERecord?id=CVE-2025-35452
- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai
- https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/
