CVE-2025-34067 is a critical vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the Hikvision Integrated Security Management Platform. The root cause is the use of a vulnerable version of the Fastjson library within the applyCT component, specifically the /bic/ssoService/v1/applyCT endpoint. Fastjson's auto-type feature allows dynamic loading of Java classes during JSON deserialization. An attacker can craft malicious JSON input referencing a Java class hosted via an LDAP URL, which Fastjson will deserialize and instantiate, leading to arbitrary code execution on the server. This vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. The vulnerability was publicly disclosed in mid-2025 with a CVSS 4.0 score of 10.0, reflecting its critical impact on confidentiality, integrity, and availability. Shadowserver Foundation observed exploitation attempts in February 2025, indicating active reconnaissance or limited exploitation. The vulnerability affects all versions of the Hikvision Integrated Security Management Platform that use the vulnerable Fastjson library, with no patches currently listed, underscoring the urgency for mitigation. The attack vector is network-based, with low complexity and no privileges required, enabling attackers to fully compromise affected systems, potentially gaining control over security management infrastructure.

For European organizations, the impact of CVE-2025-34067 is severe. Hikvision's Integrated Security Management Platform is widely deployed in physical security systems including video surveillance, access control, and alarm management across critical infrastructure, government facilities, transportation hubs, and private enterprises. Successful exploitation can lead to full system compromise, allowing attackers to disable or manipulate security controls, exfiltrate sensitive data, or disrupt operations. This threatens confidentiality, integrity, and availability of security monitoring and response capabilities. Given the unauthenticated remote code execution nature, attackers can pivot into broader network environments, increasing risk of lateral movement and persistent compromise. The potential for espionage, sabotage, or ransomware deployment is significant. European entities with regulatory obligations under GDPR and NIS2 directives face additional compliance and reputational risks if breaches occur. The lack of available patches heightens urgency for interim mitigations to prevent exploitation.

1. Immediate network-level controls: Restrict access to the /bic/ssoService/v1/applyCT endpoint using firewalls or network segmentation to trusted management networks only. 2. Disable Fastjson auto-type feature if configurable, or replace the vulnerable Fastjson library version with a secure patched version once available. 3. Monitor network traffic and logs for suspicious LDAP URL references or anomalous JSON deserialization attempts targeting the applyCT endpoint. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block exploitation patterns related to Fastjson deserialization attacks. 5. Conduct thorough asset inventory to identify all Hikvision Integrated Security Management Platform deployments and prioritize remediation. 6. Engage with Hikvision support for official patches or mitigations and apply them promptly upon release. 7. Implement endpoint detection and response (EDR) solutions to detect post-exploitation behaviors. 8. Educate security teams on this vulnerability to enhance incident response readiness. 9. Consider isolating affected systems from critical networks until mitigations are in place. 10. Regularly update and patch all related infrastructure to reduce attack surface.