Introduction
Remote attackers have gained root access to PTZOptics and ValueHD-based pan tilt zoom cameras in healthcare, government, and manufacturing environments by exploiting hard-coded administrative credentials. These credentials are embedded in the firmware, cannot be changed by users, and allow full control through SSH and telnet. The vulnerability, tracked as CVE-2025-35451, is actively targeted and has a CVSS v3 score of 9.8.
PTZOptics is a leading US-based provider of professional PTZ cameras, widely used in broadcasting, conferencing, and surveillance. ValueHD, a major OEM in China, supplies the underlying hardware and firmware for PTZOptics and other brands including multiCAM Systems and SMTAV. These products are deployed globally across critical infrastructure sectors.
Technical Information
CVE-2025-35451 is a critical authentication flaw caused by the use of hard-coded administrative credentials in the firmware of PTZOptics and ValueHD-based cameras. The affected devices have SSH (port 22) and telnet (port 23) services enabled on all interfaces by default. The credentials are identical across all devices running vulnerable firmware and are not modifiable or removable by end users.
Attackers can identify vulnerable devices by scanning for open SSH or telnet ports. Once discovered, they can authenticate using the known credentials to gain root access to the underlying Linux operating system. This grants full administrative control, including the ability to:
- Modify device configurations
- Install or remove software
- Extract sensitive data
- Establish persistent backdoors
- Use the camera as a pivot point for lateral movement within the network
The vulnerability is classified as CWE-798 (Use of Hard-coded Credentials). The root cause is the embedding of static credentials in the firmware image, a critical design flaw that cannot be mitigated by configuration changes alone. The only effective remediation is a firmware update that removes or randomizes the credentials and allows users to set their own passwords.
No public code snippets are available for the hard-coded credentials, but security advisories confirm that the credentials are trivial to crack and widely known in the security community.
Affected Systems and Versions
- PTZOptics cameras running firmware versions prior to 6.3.40
- ValueHD-based cameras from ValueHD, multiCAM Systems, and SMTAV (all firmware versions as of the latest advisories)
- All configurations where SSH or telnet is enabled (default state)
- Devices exposed to the internet or accessible from untrusted networks are at highest risk
Vendor Security History
PTZOptics has previously addressed vulnerabilities in its camera firmware, including issues related to improper authentication and OS command injection (CVE-2024-8956, CVE-2024-8957). The company has released firmware updates and changelogs documenting security improvements, such as HTTP Digest Authentication and disabling guest login by default. PTZOptics has generally responded to disclosures with timely patches.
ValueHD, multiCAM Systems, and SMTAV have not consistently responded to coordinated vulnerability disclosure efforts. As a result, many devices from these vendors remain unpatched and vulnerable. The OEM supply chain model has led to persistent vulnerabilities across multiple brands and product lines.