AVer PTC310UV2 CVE-2025-45620
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Remote unauthenticated info disclosure via a crafted request gives AV:N/AC:L/PR:N/UI:N and C:H; CWE-200 is read-only, so I:N and A:N rather than the inflated I:H.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
An issue in Aver PTC310UV2 v.0.1.0000.59 allows a remote attacker to obtain sensitive information via a crafted request
AnalysisAI
Sensitive information disclosure in AVer PTC310UV2 professional PTZ tracking camera firmware version 0.1.0000.59 allows a remote, unauthenticated attacker to retrieve confidential data by sending a specially crafted request to the device. The flaw (CWE-200) carries a high CVSS 8.1 and has publicly available exploit code (GitHub weedl/CVE-2025-45620), though it is not listed in CISA KEV and EPSS remains low at 0.96% (57th percentile), indicating no confirmed widespread exploitation yet.
Technical ContextAI
The AVer PTC310UV2 is a network-connected professional pan-tilt-zoom auto-tracking camera used in conferencing, lecture-capture, and broadcast environments, exposing a web/HTTP management interface over the network. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), meaning the device returns protected data - such as configuration, credentials, or internal state - in response to requests that should not be authorized to receive it. The affected component is precisely identified by the CPE cpe:2.3:o:averusa:ptc310uv2_firmware:0.1.0000.59, scoping the issue to that single firmware build; root cause class is missing or improper access control on an endpoint that discloses information rather than a memory-safety or injection defect.
RemediationAI
No vendor-released patch identified at time of analysis - the references contain only a vendor product page (http://ptc310uv2.com) and public exploit code (https://github.com/weedl/CVE-2025-45620), with no fixed firmware version specified. As compensating controls: remove the PTC310UV2 management interface from any internet exposure and place the camera on an isolated management VLAN reachable only by authorized AV/administration hosts (trade-off: legitimate remote management must go through a VPN or jump host); restrict access to the device's HTTP endpoint via upstream firewall/ACL rules to known source IPs (trade-off: breaks ad-hoc remote access); and monitor for AVer firmware updates for a build superseding 0.1.0000.59 and apply it once released. Because exploitation is unauthenticated and network-based, network-layer isolation is the most effective available mitigation until a patched firmware is published.
More in Ptc310Uv2 Firmware
View allSame weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today