Introduction
Unauthorized remote access to surveillance infrastructure has led to real-world breaches in critical manufacturing, healthcare, and government sectors. The recent discovery of default, hard-coded administrative credentials in PTZOptics and ValueHD-based pan tilt zoom cameras (CVE-2025-35452) demonstrates how a single design flaw can expose entire organizations to remote compromise, persistent surveillance, and lateral movement attacks.
PTZOptics is a leading manufacturer of professional PTZ cameras, widely used in broadcasting, education, and security. Their products are deployed globally and are integral to many critical infrastructure and commercial environments. ValueHD supplies OEM camera platforms used by several brands, multiplying the impact of vulnerabilities in their firmware. This vulnerability also affects other vendors such as SMTAV and multiCAM Systems, broadening the scope of exposure.
Technical Information
CVE-2025-35452 is a critical vulnerability (CVSS 9.8) caused by the presence of default, hard-coded credentials in the web interface of PTZOptics and ValueHD-based PTZ cameras. In affected devices, the administrative interface is protected by a username and password combination that is set to a known default value, typically:
Username: admin
Password: admin
In certain firmware versions, these credentials are embedded in the firmware image in plaintext and cannot be changed or disabled by the end user. This means that even after an administrator attempts to update the password, the original hard-coded credentials remain valid for remote access. Attackers can exploit this by connecting to the camera's web interface over the network and authenticating with the default credentials, gaining full administrative control. No user interaction is required, and exploitation can be automated at scale.
The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and CWE-1392 (Use of Default Credentials). Public advisories confirm that exploitation is trivial and does not require any special tools or advanced techniques. The flaw is compounded by related issues in the same ecosystem, such as CVE-2024-8956 (improper authentication) and CVE-2025-35451 (hard-coded OS/telnet credentials), which can be chained for deeper compromise.
Affected Systems and Versions
The following products and vendors are confirmed affected by CVE-2025-35452:
- PTZOptics PTZ camera models with web interface firmware containing hard-coded admin credentials ("admin"/"admin").
- SMTAV PTZ camera models using ValueHD-based firmware with default credentials.
- multiCAM Systems PTZ cameras based on ValueHD platforms.
- ValueHD OEM PTZ camera platforms used by multiple brands.
The vulnerability is present in firmware versions where the admin credentials are hard-coded and cannot be changed or disabled by the user. Specific affected versions are not enumerated in public advisories, but all ValueHD-based PTZ cameras with default credentials are considered vulnerable unless patched. PTZOptics has released patches for some models; organizations should consult the CISA advisory and vendor documentation for model-specific details.
Vendor Security History
PTZOptics has responded to coordinated disclosure by releasing firmware patches for some affected models and maintains a public vulnerability disclosure process. Previous related vulnerabilities include:
- CVE-2024-8956: Improper authentication in PTZOptics and ValueHD-based cameras.
- CVE-2025-35451: Hard-coded OS/telnet credentials in the same ecosystem.
PTZOptics generally demonstrates a moderate security maturity, with timely responses to public disclosures. In contrast, SMTAV and ValueHD have not responded to coordinated disclosure efforts and have not issued patches or public guidance, raising concerns about their long-term security support and maturity.