A critical arbitrary code execution vulnerability in AVer PTC series cameras permits remote, unauthenticated attackers to compromise affected hardware.

The vulnerability stems from improper input validation within the camera's web interface. This allows an unauthenticated remote attacker to inject and execute arbitrary code by sending specially crafted web requests.

Successful exploitation allows an attacker to gain full control over the camera hardware, potentially enabling remote surveillance or pivoting into internal networks. With a CVSS score of 9.8, this vulnerability represents a severe threat to physical and network security, particularly in sensitive environments.

Immediate Action: Apply the latest firmware updates provided by AVer for the affected PTC camera models.

Proactive Monitoring: Monitor network traffic for anomalous HTTP requests directed at camera web interfaces and check for unauthorized device configuration changes.

Compensating Controls: Place affected cameras on isolated management VLANs and restrict access via a Web Application Firewall (WAF) or access control lists (ACLs).

Public Exploit Available: Unknown

The ability for unauthenticated attackers to achieve remote code execution on camera hardware is a severe security risk. Organizations should immediately isolate these devices from public-facing networks and prioritize firmware updates to close the identified input validation gaps.