Critical HIKVISION applyCT Vulnerability Exposes Devices to Code Execution Attacks
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical security vulnerability has been discovered in HIKVISION\u2019s applyCT component, part of the HikCentral Integrated Security Management Platform, that allows attackers to execute arbitrary code remotely without authentication.\u00a0<\/p>\n
Assigned CVE-2025-34067<\/a> with a maximum CVSS score of 10.0, this vulnerability stems from the platform\u2019s use of a vulnerable version of the Fastjson library, exposing millions of surveillance devices worldwide to potential compromise.<\/p>\n The vulnerability exploits the \/bic\/ssoService\/v1\/applyCT endpoint through malicious JSON payloads<\/a> processed by the Fastjson library.\u00a0<\/p>\n Attackers can craft specific JSON requests that trigger Fastjson\u2019s auto-type feature, enabling the loading of arbitrary Java classes.\u00a0<\/p>\n The attack mechanism involves manipulating the JdbcRowSetImpl class to establish connections with untrusted LDAP servers, effectively bypassing security controls.<\/p>\n The exploit requires sending a POST request with Content-Type: application\/json to the vulnerable endpoint. By manipulating the datasource parameter to point to a malicious LDAP server, attackers can achieve remote code execution on the underlying system.<\/p>\n This represents a classic case of CWE-502 Deserialization of Untrusted Data combined with CWE-917 Expression Language Injection, where insufficient input validation<\/a> allows unauthorized class loading and code execution.<\/p>\n The vulnerability affects the HikCentral platform, formerly known as the \u201cIntegrated Security Management Platform,\u201d which serves as a comprehensive security management solution widely deployed across government, commercial, and industrial sectors.\u00a0<\/p>\n The platform\u2019s extensive adoption makes this vulnerability particularly concerning, as it provides centralized control over multiple security devices and surveillance systems.<\/p>\n Potential consequences include unauthorized access to sensitive surveillance data, manipulation of security systems, and the possibility of lateral movement within network infrastructure.\u00a0<\/p>\n Organizations using affected HIKVISION applyCT systems face risks of data breaches, service disruptions, and potential compromise of their entire security infrastructure.<\/p>\n The vulnerability\u2019s unauthenticated nature means attackers can exploit it without requiring valid credentials, significantly lowering the barrier to entry for malicious actors.\u00a0<\/p>\n This has led to its classification as a known-exploited-vulnerability, indicating active exploitation in the wild.<\/p>\n Organizations should immediately assess their HIKVISION applyCT deployments and implement network segmentation to limit exposure.\u00a0<\/p>\n Monitoring for unusual network traffic to the \/bic\/ssoService\/v1\/applyCT endpoint can help detect attempts at exploitation.\u00a0<\/p>\n While specific patches have not been detailed in current advisories, users should contact HIKVISION support for immediate remediation guidance and consider temporarily restricting access to the vulnerable endpoint until patches are available.<\/p>\n Security teams should also implement additional monitoring for LDAP connection attempts from their HIKVISION systems and consider deploying network-based intrusion detection<\/a> systems to identify potential exploitation attempts targeting this critical vulnerability.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now<\/strong><\/a>\u00a0<\/p>\n The post Critical HIKVISION applyCT Vulnerability Exposes Devices to Code Execution Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways
<\/strong><\/mark>1. CVE-2025-34067 (CVSS 10.0) in HIKVISION applyCT allows unauthenticated remote code execution.
2. Exploits Fastjson library via malicious JSON to \/bic\/ssoService\/v1\/applyCT endpoint using LDAP connections.
3. Affects HikCentral surveillance platforms across government, commercial, and industrial sectors globally.
4. Assess deployments immediately, restrict network access, and contact HIKVISION for patches - actively exploited.<\/pre>\nCritical Fastjson Deserialization Flaw<\/strong><\/h2>\n
\n\n
\n Risk Factors<\/strong><\/td>\n Details<\/strong><\/td>\n<\/tr>\n \n Affected Products<\/td>\n \u2013 HIKVISION HikCentral (formerly \u201cIntegrated Security Management Platform\u201d)- applyCT component- Versions using vulnerable Fastjson library<\/td>\n<\/tr>\n \n Impact<\/td>\n Remote Code Execution (RCE)<\/td>\n<\/tr>\n \n Exploit Prerequisites<\/td>\n \u2013 Network access to \/bic\/ssoService\/v1\/applyCT endpoint- Ability to send HTTP POST requests- No authentication required- Access to malicious LDAP server<\/td>\n<\/tr>\n \n CVSS Score<\/td>\n 10.0 (Critical)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Mitigations<\/strong><\/h2>\n