CVE-2025-39245 is a CSV Injection vulnerability identified in Hikvision's HikCentral Master Lite software, specifically affecting versions between V2.2.1 and V2.3.2. CSV Injection, also known as Formula Injection, occurs when untrusted input is embedded in CSV files without proper sanitization, allowing attackers to inject malicious formulas or commands. When such a CSV file is opened in spreadsheet applications like Microsoft Excel or LibreOffice Calc, the injected formulas can execute arbitrary commands or scripts, potentially leading to data manipulation, unauthorized actions, or further compromise of the user's system. In this case, the vulnerability allows an attacker to craft malicious CSV data that, when exported or imported by the HikCentral Master Lite software and subsequently opened by an end user, could execute commands. The CVSS 3.1 base score is 4.7 (medium severity), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L, indicating that the attack can be performed remotely without privileges, requires user interaction (opening the CSV), affects availability with a scope change, but does not impact confidentiality or integrity directly. No known exploits are currently reported in the wild, and no patches or mitigation links have been provided yet. Given that HikCentral Master Lite is a video management system used for surveillance and security management, the injection could disrupt availability or cause operational issues if malicious CSV files are processed or opened by administrators or operators.

For European organizations, especially those in critical infrastructure, public safety, transportation, and private sectors relying on Hikvision's HikCentral Master Lite for video surveillance management, this vulnerability poses a risk of operational disruption. An attacker could deliver malicious CSV files via phishing or other social engineering methods to system operators, causing execution of unwanted commands when the CSV is opened. This could lead to denial of service conditions, manipulation of system logs or reports, or triggering of unintended actions within the management environment. Although confidentiality and integrity impacts are not directly indicated, the disruption of availability in security monitoring systems can degrade situational awareness and response capabilities. This is particularly concerning for organizations with high reliance on continuous surveillance, such as airports, public transit authorities, and law enforcement agencies. Additionally, the requirement for user interaction means that personnel training and awareness are critical factors in risk mitigation. The medium severity score reflects a moderate but tangible risk that should be addressed promptly to maintain operational security.

To mitigate this vulnerability, European organizations using affected versions of HikCentral Master Lite should: 1) Immediately review and restrict the handling of CSV files within the software environment, avoiding opening CSV exports from untrusted or unknown sources. 2) Implement strict input validation and sanitization procedures for any CSV data imported into the system, if possible, to detect and neutralize formula injection attempts. 3) Educate and train staff, especially system administrators and operators, about the risks of CSV Injection and the importance of cautious handling of CSV files received via email or other channels. 4) Monitor for any unusual system behavior or availability issues that could indicate exploitation attempts. 5) Engage with Hikvision support or security advisories to obtain patches or updates as soon as they become available, and plan for timely deployment. 6) Consider deploying application whitelisting or sandboxing techniques for spreadsheet applications used to open CSV files to limit potential damage from malicious formulas. 7) Employ email filtering and attachment scanning to reduce the likelihood of malicious CSV files reaching end users. These steps go beyond generic advice by focusing on operational controls, user awareness, and proactive monitoring tailored to the nature of CSV Injection in this specific product context.