Critical remote code execution flaw reported in Industrial Video & Control Longwatch surveillance system
Take action: This one is very important! If you have Industrial Video & Control Longwatch surveillance systems, ensure these devices are isolated from the internet and only accessible from trusted networks. Then plan a very quick upgrade to version 6.335 or later. Your Longwatch is vulnerable and very easy to hack, so don't delay.
Learn More
CISA is reporting a critical security vulnerability in Industrial Video & Control's Longwatch video surveillance and monitoring platform that could enable unauthenticated attackers to gain control over affected systems.
Industrial Video & Control's Longwatch system is deployed in energy sector facilities, water and wastewater treatment plants, and other critical infrastructure environments that require integrated video surveillance for both security monitoring and operational diagnostics. The system's ability to transmit video over existing SCADA networks and integrate with process control data makes it valuable for industrial applications, but also increases the potential impact of a compromise.
The vulnerability is tracked as CVE-2025-13658 (CVSS score 9.3) is an improper control of code generation. The vulnerability is caused by an exposed HTTP endpoint in Longwatch devices that accepts unauthenticated GET requests and can execute arbitrary code due to the absence of code signing and execution controls. Malicious actors could gain full control of the surveillance system, potentially stealing sensitive operational data, disrupting critical monitoring functions, or using compromised devices as a foothold to move laterally through operational technology networks.
The flaw affects Longwatch versions 6.309 through 6.334 and was reported to CISA by a concerned operational technology engineer.
Industrial Video & Control has released version 6.335 to fix this flaw and strongly recommends to all users to upgrade ASAP.
