CVE-2025-35451 | Pan-Tilt-Zoom cameras hard-coded default passwords with SSH and telnet enabled

Exp

PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use hard-coded, default administrative credentials. The passwords can readily be cracked. Many cameras have SSH or telnet listening on all interfaces. The passwords cannot be changed by the user, nor can the SSH or telnet service be disabled by the user.

Published: 2025-09-05 Last update: 2026-01-14 Assigner: 9119a7d8-5eab-497f-8521-727c672e3725 Source: 9119a7d8-5eab-497f-8521-727c672e3725
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-35451 is rated High Exploit Risk (64.9/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.15%). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2025-35451

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2025-35451

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-02-13 0.06% 0.15% +0.10%
2 2026-01-05 0.04% 0.06% +0.01%
3 2025-11-21 0.04%

Full EPSS history (7 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-35451

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.3 4.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:X)
Not defined: no reliable threat intelligence; scoring assumes the worst case (equivalent to Attacked).
Confidentiality requirement (CR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Integrity requirement (IR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Availability requirement (AR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Modified attack vector (MAV:X)
Not defined: scoring uses the Base Attack Vector (AV).
Modified attack complexity (MAC:X)
Not defined: scoring uses the Base Attack Complexity (AC).
Modified attack requirements (MAT:X)
Not defined: scoring uses the Base Attack Requirements (AT).
Modified privileges required (MPR:X)
Not defined: scoring uses the Base Privileges Required (PR).
Modified user interaction (MUI:X)
Not defined: scoring uses the Base User Interaction (UI).
Modified vulnerable system confidentiality impact (MVC:X)
Not defined: scoring uses the Base VC metric.
Modified vulnerable system integrity impact (MVI:X)
Not defined: scoring uses the Base VI metric.
Modified vulnerable system availability impact (MVA:X)
Not defined: scoring uses the Base VA metric.
Modified subsequent system confidentiality impact (MSC:X)
Not defined: scoring uses the Base SC metric.
Modified subsequent system integrity impact (MSI:X)
Not defined: scoring uses the Base SI metric.
Modified subsequent system availability impact (MSA:X)
Not defined: scoring uses the Base SA metric.
Safety (supplemental) (S:X)
Not evaluated.
Automatable (supplemental) (AU:X)
Not evaluated.
Recovery (supplemental) (R:X)
Not evaluated.
Value density (supplemental) (V:X)
Not evaluated.
Vulnerability response effort (supplemental) (RE:X)
Not evaluated.
Provider urgency (supplemental) (U:X)
Not evaluated.
 9119a7d8-5eab-497f-8521-727c672e3725
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 5.9 9119a7d8-5eab-497f-8521-727c672e3725

Weakness enumeration for CVE-2025-35451

Affected software / configurations for CVE-2025-35451

Vendor Product Version Raw CPE
ptzoptics pt12x-sdi-xx-g2_firmware <= 6.3.34 cpe:2.3:o:ptzoptics:pt12x-sdi-xx-g2_firmware:*:*:*:*:*:*:*:*
ptzoptics pt12x-ndi-xx_firmware <= 6.3.34 cpe:2.3:o:ptzoptics:pt12x-ndi-xx_firmware:*:*:*:*:*:*:*:*
ptzoptics pt12x-usb-xx-g2_firmware <= 6.2.81 cpe:2.3:o:ptzoptics:pt12x-usb-xx-g2_firmware:*:*:*:*:*:*:*:*
ptzoptics pt20x-sdi-xx-g2_firmware <= 6.3.20 cpe:2.3:o:ptzoptics:pt20x-sdi-xx-g2_firmware:*:*:*:*:*:*:*:*
ptzoptics pt20x-ndi-xx_firmware <= 6.3.20 cpe:2.3:o:ptzoptics:pt20x-ndi-xx_firmware:*:*:*:*:*:*:*:*
ptzoptics pt20x-usb-xx-g2_firmware <= 6.2.73 cpe:2.3:o:ptzoptics:pt20x-usb-xx-g2_firmware:*:*:*:*:*:*:*:*
ptzoptics pt30x-sdi-xx-g2_firmware <= 6.3.30 cpe:2.3:o:ptzoptics:pt30x-sdi-xx-g2_firmware:*:*:*:*:*:*:*:*
ptzoptics pt30x-ndi-xx_firmware <= 6.3.30 cpe:2.3:o:ptzoptics:pt30x-ndi-xx_firmware:*:*:*:*:*:*:*:*
ptzoptics pt12x-zcam_firmware <= 7.2.76 cpe:2.3:o:ptzoptics:pt12x-zcam_firmware:*:*:*:*:*:*:*:*
ptzoptics pt20x-zcam_firmware <= 7.2.82 cpe:2.3:o:ptzoptics:pt20x-zcam_firmware:*:*:*:*:*:*:*:*
ptzoptics ptvl-zcam_firmware <= 7.2.79 cpe:2.3:o:ptzoptics:ptvl-zcam_firmware:*:*:*:*:*:*:*:*
ptzoptics pteptz-zcam-g2_firmware <= 8.1.81 cpe:2.3:o:ptzoptics:pteptz-zcam-g2_firmware:*:*:*:*:*:*:*:*
ptzoptics pteptz-ndi-zcam-g2_firmware <= 8.1.81 cpe:2.3:o:ptzoptics:pteptz-ndi-zcam-g2_firmware:*:*:*:*:*:*:*:*
ptzoptics vl_fixed_camera_firmware <= 7.2.94 cpe:2.3:o:ptzoptics:vl_fixed_camera_firmware:*:*:*:*:*:*:*:*
ptzoptics ndi_fixed_camera_firmware <= 7.2.94 cpe:2.3:o:ptzoptics:ndi_fixed_camera_firmware:*:*:*:*:*:*:*:*
multicam-systems mcamii_ptz_firmware cpe:2.3:o:multicam-systems:mcamii_ptz_firmware:*:*:*:*:*:*:*:*
smtav ba30s_firmware cpe:2.3:o:smtav:ba30s_firmware:*:*:*:*:*:*:*:*
smtav ba20s_firmware cpe:2.3:o:smtav:ba20s_firmware:*:*:*:*:*:*:*:*
smtav bv20s_firmware cpe:2.3:o:smtav:bv20s_firmware:*:*:*:*:*:*:*:*
smtav bx30s_firmware cpe:2.3:o:smtav:bx30s_firmware:*:*:*:*:*:*:*:*
smtav bx20n_firmware cpe:2.3:o:smtav:bx20n_firmware:*:*:*:*:*:*:*:*
smtav bx20uhd-n_firmware cpe:2.3:o:smtav:bx20uhd-n_firmware:*:*:*:*:*:*:*:*
smtav bx20uhd_firmware cpe:2.3:o:smtav:bx20uhd_firmware:*:*:*:*:*:*:*:*
smtav ba30-n_firmware cpe:2.3:o:smtav:ba30-n_firmware:*:*:*:*:*:*:*:*
smtav ba20-n_firmware cpe:2.3:o:smtav:ba20-n_firmware:*:*:*:*:*:*:*:*
smtav ba12-n_firmware cpe:2.3:o:smtav:ba12-n_firmware:*:*:*:*:*:*:*:*
smtav hd17h-n_firmware cpe:2.3:o:smtav:hd17h-n_firmware:*:*:*:*:*:*:*:*
smtav bx20s-sh_firmware cpe:2.3:o:smtav:bx20s-sh_firmware:*:*:*:*:*:*:*:*
smtav hd17h_firmware cpe:2.3:o:smtav:hd17h_firmware:*:*:*:*:*:*:*:*
smtav bv30s_firmware cpe:2.3:o:smtav:bv30s_firmware:*:*:*:*:*:*:*:*
smtav ba12s_firmware cpe:2.3:o:smtav:ba12s_firmware:*:*:*:*:*:*:*:*
valuehd vx90_firmware cpe:2.3:o:valuehd:vx90_firmware:*:*:*:*:*:*:*:*
valuehd vx720l_firmware cpe:2.3:o:valuehd:vx720l_firmware:*:*:*:*:*:*:*:*
valuehd vx752ag_firmware cpe:2.3:o:valuehd:vx752ag_firmware:*:*:*:*:*:*:*:*
valuehd vx752a_firmware cpe:2.3:o:valuehd:vx752a_firmware:*:*:*:*:*:*:*:*
valuehd vx751ba_firmware cpe:2.3:o:valuehd:vx751ba_firmware:*:*:*:*:*:*:*:*
valuehd vx630al_firmware cpe:2.3:o:valuehd:vx630al_firmware:*:*:*:*:*:*:*:*
valuehd vx61asl_firmware cpe:2.3:o:valuehd:vx61asl_firmware:*:*:*:*:*:*:*:*
valuehd vx61basl_firmware cpe:2.3:o:valuehd:vx61basl_firmware:*:*:*:*:*:*:*:*
valuehd vx60asl_firmware cpe:2.3:o:valuehd:vx60asl_firmware:*:*:*:*:*:*:*:*
valuehd vx61al_firmware cpe:2.3:o:valuehd:vx61al_firmware:*:*:*:*:*:*:*:*
valuehd vx60al_firmware cpe:2.3:o:valuehd:vx60al_firmware:*:*:*:*:*:*:*:*
valuehd vx701ra_firmware cpe:2.3:o:valuehd:vx701ra_firmware:*:*:*:*:*:*:*:*
valuehd vx701ta_firmware cpe:2.3:o:valuehd:vx701ta_firmware:*:*:*:*:*:*:*:*
valuehd vx800i2_firmware cpe:2.3:o:valuehd:vx800i2_firmware:*:*:*:*:*:*:*:*
valuehd v61w_firmware cpe:2.3:o:valuehd:v61w_firmware:*:*:*:*:*:*:*:*
valuehd v63xl_firmware cpe:2.3:o:valuehd:v63xl_firmware:*:*:*:*:*:*:*:*
valuehd v60xl_firmware cpe:2.3:o:valuehd:v60xl_firmware:*:*:*:*:*:*:*:*
valuehd vx70uvs_firmware cpe:2.3:o:valuehd:vx70uvs_firmware:*:*:*:*:*:*:*:*
valuehd vx71uvs_firmware cpe:2.3:o:valuehd:vx71uvs_firmware:*:*:*:*:*:*:*:*
valuehd v71uvs_firmware cpe:2.3:o:valuehd:v71uvs_firmware:*:*:*:*:*:*:*:*

References for CVE-2025-35451

cvelogic Threat Intelligence