CVE-2025-34067 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Hikvision's HikCentral platform, formerly known as the Integrated Security Management Platform. The vulnerability arises from the use of a vulnerable version of the Fastjson library within the applyCT component, specifically at the endpoint /bic/ssoService/v1/applyCT. Fastjson is a Java library used for JSON parsing and serialization. This vulnerability exploits Fastjson's auto-type feature, which allows dynamic loading of Java classes during deserialization. An attacker can send specially crafted input that triggers the deserialization of untrusted data, referencing malicious Java classes via an LDAP URL. This leads to arbitrary code execution on the underlying system without requiring any authentication or user interaction. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) and CWE-917 (Improper Neutralization of Special Elements used in an LDAP Query), highlighting the unsafe deserialization and LDAP injection aspects. The CVSS 4.0 base score is 10.0, indicating a critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No patches or mitigations have been officially released at the time of publication, and there are no known exploits in the wild yet. However, given the nature of the vulnerability and the criticality of the affected platform, exploitation could lead to full system compromise, enabling attackers to manipulate security management functions, access sensitive surveillance data, or disrupt security operations.

For European organizations, the impact of this vulnerability is significant due to the widespread use of Hikvision's security management solutions in critical infrastructure, government facilities, transportation hubs, and commercial enterprises. Successful exploitation could allow attackers to gain full control over the security management platform, potentially disabling surveillance systems, tampering with access controls, or exfiltrating sensitive video and security data. This could lead to severe breaches of physical security, privacy violations, and operational disruptions. The unauthenticated nature of the vulnerability increases the risk of remote exploitation by threat actors, including cybercriminals and nation-state adversaries. Given the critical role of HikCentral in integrated security environments, the vulnerability could also facilitate lateral movement within networks, enabling further compromise of enterprise IT and OT systems. The potential for widespread impact is heightened by the lack of available patches and the criticality of the CVSS score, necessitating urgent attention by European organizations relying on Hikvision products.

1. Immediate network-level mitigation: Restrict external and untrusted network access to the /bic/ssoService/v1/applyCT endpoint using firewalls, network segmentation, or web application firewalls (WAFs). 2. Disable Fastjson auto-type feature if possible by configuring the application or applying custom patches to prevent dynamic class loading during deserialization. 3. Monitor network traffic and logs for suspicious LDAP requests or unusual activity targeting the vulnerable endpoint. 4. Implement strict input validation and filtering at the application layer to block malicious payloads attempting to exploit deserialization. 5. Engage with Hikvision support and monitor official advisories for patches or updates addressing this vulnerability; apply them promptly once available. 6. Conduct a thorough security audit of all Hikvision devices and management platforms to identify exposure and implement compensating controls such as multi-factor authentication and enhanced monitoring. 7. Consider temporary disabling or isolating vulnerable HikCentral instances until a secure patch is deployed. 8. Educate security teams on the indicators of compromise related to Fastjson deserialization attacks to enable rapid detection and response.