GreyNoise has discovered previously undisclosed zero-day vulnerabilities in IoT-connected live streaming cameras, leveraging AI to catch an attack before it could escalate. These cameras are reportedly used in sectors such as industrial operations, healthcare, and other sensitive environments like houses of worship, highlighting the urgent need for stronger cybersecurity defenses as the threat landscape continues to evolve.
This discovery was made possible after a GreyNoise honeypot detected an attempt to execute an exploit against it. An attacker had developed and automated a zero-day vulnerability exploit, using a broad-spectrum reconnaissance and targeting strategy to run it across the internet. However, the exploit hit GreyNoise’s global sensor network, where GreyNoise’s proprietary internal AI technology flagged the unusual activity. Upon further investigation, GreyNoise researchers discovered the zero-day vulnerabilities. Once exploited, attackers could potentially seize complete control of the cameras, view and/or manipulate video feeds, disable camera operations, and enlist the devices into a botnet to launch denial-of-service attacks.
This marks one of the first instances where threat detection has been augmented by AI to discover zero-day vulnerabilities. By surfacing malicious traffic that traditional tools would have missed, GreyNoise successfully intercepted the attack, identified the vulnerabilities, and reported them before they could be widely exploited. The company’s proactive approach, combining AI-powered detection with expert human analysis, proves that AI can dramatically accelerate the discovery of vulnerabilities — making the internet safer, one discovery at a time.
GreyNoise partnered with VulnCheck to responsibly disclose the flaws, tracked as CVE-2024-8956 and CVE-2024-8957.
View the full technical analysis and register now for GreyNoise’s expert panel webinar to learn more about the broader implications of these findings for security professionals.
Affected Devices and Common Use-Cases
The vulnerabilities impact NDI-enabled pan-tilt-zoom (PTZ) cameras from multiple manufacturers. Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including:
- Industrial and manufacturing plants for machinery surveillance and quality control.
- Business conferences for high-definition video streaming and remote presentations.
- Healthcare settings for telehealth consultations and surgical live streams.
- State and local government environments, including courtrooms.
- Houses of worship for live streaming of religious services.
Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars.
Vulnerabilities Discovered
CVSS 9.1 (Critical)
Insufficient Authentication: CVE-2024-8956
- Inadequate authentication mechanisms could allow an attacker to access sensitive information like usernames, MD5 password hashes, and configuration data. MD5 hashes have long been considered insecure, meaning attackers could potentially crack them and gain administrative access.
CVSS 7.2 (High)
OS Command Injection: CVE-2024-8957
- Chained with CVE-2024-8956, an attacker can execute arbitrary OS commands on the affected cameras, potentially allowing an attacker to seize full control of the system.
Full Camera Takeover, Unauthorized Surveillance, Data Breach, Broader Attacks, and More
GreyNoise found the affected cameras to be vulnerable to a range of potentially dangerous attacks. These vulnerabilities, if exploited, could potentially expose sensitive business meetings, compromise telehealth sessions, and disrupt cameras deployed in industrial settings, leaving organizations potentially exposed to data and privacy breaches.
Full Camera Takeover and Unauthorized Surveillance
- By exploiting both CVE-2024-8956 and CVE-2024-8957, an attacker could potentially seize full control of the camera, view and/or manipulate the video feeds, and gain unauthorized access to sensitive information. Devices could also be potentially enlisted into a botnet and used for denial-of-service attacks.
Attacks like this are not new — in 2021, live feeds of 150,000 cameras inside schools, hospitals, and more were exposed. Vulnerable IoT devices are prime targets for attackers looking to add compromised devices to a botnet, like the infamous Mirai botnet.
Broader Network Attacks and Data Breach
- An attacker could extract network details, including IP addresses, MAC addresses, and gateway configurations, potentially leveraging this information to pivot and move laterally into the device’s local network. This could potentially compromise other systems on the same network, which could lead to broader data breaches or even the spread of ransomware.
Disablement of Camera Operations
- CVE-2024-8956 allows for configuration files to be updated or entirely overwritten. An attacker could exploit this vulnerability to intentionally misconfigure or disable the camera, potentially disrupting camera operations.
How GreyNoise Discovered These Vulnerabilities Using AI
Security teams today face an overwhelming number of alerts, many of which result from harmless internet activity like routine scans and benign traffic. With countless alerts pouring in daily, identifying threats becomes incredibly difficult, and many serious vulnerabilities can go unnoticed amid the noise.
This is where AI steps in. GreyNoise’s Sift, powered by large language models (LLMs) trained on vast amounts of internet traffic — including traffic targeting IoT devices — identifies anomalies that traditional systems may miss. Instead of just reacting to known threats, Sift excels at spotting new anomalies, threats that haven't been identified yet or don’t fit any known signatures.
What Makes Sift Different
Sift analyzes real-time internet traffic and enriches that data with GreyNoise’s proprietary datasets. It then runs the data through advanced AI systems, which help separate routine activity from potential threats. This process allows researchers to focus on truly meaningful threats without getting lost in the noise.
In this case, Sift flagged unrecognized traffic that had not been tagged as a known threat. This caught the attention of GreyNoise researchers, who further investigated the unusual traffic. Their investigation led to the discovery of two previously unknown zero-day vulnerabilities in live streaming cameras — highlighting how AI can transform the speed and accuracy of cybersecurity research.
“This isn’t about the specific software or how many people use it — it’s about how AI helped us catch a zero-day exploit we might have missed otherwise,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “We caught it before it could be widely exploited, reported it, and got it patched. The attacker put a lot of effort into developing and automating this exploit, and they hit our sensors. Today it’s a camera, but tomorrow it could be a zero-day in critical enterprise software. This discovery proves that AI is becoming essential for detecting and stopping sophisticated threats at scale.”
Human Researchers + AI: A Powerful Combination
By rapidly filtering out irrelevant traffic, Sift gives human researchers a clear head start. Capable of sifting through millions of data points, it enables researchers to focus on critical threats in real-time. This combination of AI-driven anomaly detection and human-led investigation is essential in today’s fast-paced cybersecurity landscape, where attackers are constantly evolving their tactics. Without Sift’s machine learning capabilities, these vulnerabilities might have remained hidden.
The Broader IoT Challenge: Proliferation and Internet Noise
GreyNoise’s discoveries shed light on a larger issue facing the rapidly growing IoT landscape. With nearly 19 billion IoT devices in operation globally, industrial and critical infrastructure sectors rely on these devices for operational efficiency and real-time monitoring. However, the sheer volume of data generated makes it challenging for traditional tools to discern genuine threats from routine network traffic, leaving systems vulnerable to sophisticated attacks. Last month, U.S. authorities dismantled a botnet that leveraged a variety of IoT devices, including IP cameras. IoT devices remain a prime target for attackers looking to exploit insecure design and functionality.
Recommendations to Protect Your Organization
Organizations using VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63 should take immediate action to patch the discovered vulnerabilities and secure their systems.
VulnCheck alerted affected manufacturers to the flaws, only receiving a response from PTZOptics. The manufacturer released firmware updates addressing these flaws.
Read the GreyNoise Labs blog for technical analysis and deeper insight into how Sift helped discover these zero-day vulnerabilities.
Check out our webinar!
Watch our expert panel take a deep dive into the technical details and strategic implications of this discovery to provide the context you need to better protect your organization.
Register now and learn how AI-driven cybersecurity is changing the status quo and how it can transform your security strategy.