CVE-2025-39247 is a high-severity access control vulnerability affecting Hikvision's HikCentral Professional software versions between V2.3.1 and V2.6.2. HikCentral Professional is a video management system widely used for surveillance and security operations. The vulnerability allows an unauthenticated attacker to escalate privileges and obtain administrative permissions without any user interaction or prior authentication. According to the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), the attack can be performed remotely over the network with low attack complexity, no privileges required, and no user interaction needed. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is critical on confidentiality, as the attacker gains full admin rights, potentially exposing sensitive video feeds, configuration data, and user information. However, integrity and availability are not directly impacted according to the CVSS vector. No known exploits are currently reported in the wild, but the ease of exploitation and high impact make this a significant threat. The lack of available patches at the time of publication increases the urgency for mitigation. HikCentral Professional is commonly deployed in enterprise, government, and critical infrastructure environments for video surveillance, making this vulnerability particularly concerning for organizations relying on Hikvision products for security monitoring and control.

For European organizations, this vulnerability poses a substantial risk to the confidentiality of surveillance data and system configurations. Unauthorized admin access could lead to exposure of sensitive video footage, compromising privacy and potentially violating GDPR regulations. Attackers could also manipulate system settings, disable security alerts, or create backdoors for persistent access. Critical infrastructure operators, public institutions, and private enterprises using HikCentral Professional for physical security are at risk of espionage, sabotage, or data leakage. The breach of video surveillance systems could undermine trust in security operations and cause regulatory penalties. Additionally, given the interconnected nature of security systems, an attacker gaining admin access could pivot to other internal networks or systems, amplifying the impact. The vulnerability's remote exploitability without authentication makes it a prime target for cybercriminals and state-sponsored actors aiming to compromise European security environments.

Immediate mitigation steps should include isolating affected HikCentral Professional instances from untrusted networks to reduce exposure. Organizations should monitor network traffic for unusual access patterns or attempts to exploit the vulnerability. Implement network segmentation to limit access to the video management system only to trusted administrators and devices. Employ strict firewall rules and VPN access for remote connections. Since no patches are currently available, consider deploying compensating controls such as multi-factor authentication (MFA) on management interfaces if supported, and regularly audit user accounts and permissions. Maintain up-to-date backups of configuration and video data to enable recovery in case of compromise. Engage with Hikvision support channels to obtain information on forthcoming patches and apply updates promptly once released. Additionally, conduct penetration testing focused on access control weaknesses to identify and remediate any other potential vulnerabilities in the environment.