Skip to main content

AVer PTC310UV2 CVE-2025-45620

HIGH
Information Exposure (CWE-200)
2025-07-30 cve@mitre.org
8.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
7.5 HIGH

Remote unauthenticated info disclosure via a crafted request gives AV:N/AC:L/PR:N/UI:N and C:H; CWE-200 is read-only, so I:N and A:N rather than the inflated I:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:03 vuln.today

DescriptionCVE.org

An issue in Aver PTC310UV2 v.0.1.0000.59 allows a remote attacker to obtain sensitive information via a crafted request

AnalysisAI

Sensitive information disclosure in AVer PTC310UV2 professional PTZ tracking camera firmware version 0.1.0000.59 allows a remote, unauthenticated attacker to retrieve confidential data by sending a specially crafted request to the device. The flaw (CWE-200) carries a high CVSS 8.1 and has publicly available exploit code (GitHub weedl/CVE-2025-45620), though it is not listed in CISA KEV and EPSS remains low at 0.96% (57th percentile), indicating no confirmed widespread exploitation yet.

Technical ContextAI

The AVer PTC310UV2 is a network-connected professional pan-tilt-zoom auto-tracking camera used in conferencing, lecture-capture, and broadcast environments, exposing a web/HTTP management interface over the network. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), meaning the device returns protected data - such as configuration, credentials, or internal state - in response to requests that should not be authorized to receive it. The affected component is precisely identified by the CPE cpe:2.3:o:averusa:ptc310uv2_firmware:0.1.0000.59, scoping the issue to that single firmware build; root cause class is missing or improper access control on an endpoint that discloses information rather than a memory-safety or injection defect.

RemediationAI

No vendor-released patch identified at time of analysis - the references contain only a vendor product page (http://ptc310uv2.com) and public exploit code (https://github.com/weedl/CVE-2025-45620), with no fixed firmware version specified. As compensating controls: remove the PTC310UV2 management interface from any internet exposure and place the camera on an isolated management VLAN reachable only by authorized AV/administration hosts (trade-off: legitimate remote management must go through a VPN or jump host); restrict access to the device's HTTP endpoint via upstream firewall/ACL rules to known source IPs (trade-off: breaks ad-hoc remote access); and monitor for AVer firmware updates for a build superseding 0.1.0000.59 and apply it once released. Because exploitation is unauthenticated and network-based, network-layer isolation is the most effective available mitigation until a patched firmware is published.

Share

CVE-2025-45620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy