What security vulnerabilities has Hikvision reported in HikCentral?

Hikvision has reported three security vulnerabilities affecting multiple versions of its HikCentral product suite: CVE-2025-39247 (CVSS 8.6) - an access control vulnerability, CVE-2025-39245 (CVSS 4.7) - a CSV injection vulnerability, and CVE-2025-39246 (CVSS 5.3) - an unquoted service path vulnerability.

What is CVE-2025-39247 and which versions does it affect?

CVE-2025-39247 is an access control vulnerability with a CVSS score of 8.6 that allows unauthenticated users to obtain administrative permissions remotely without authentication. It exploits missing authentication checks on API endpoints, enabling attackers to bypass access control mechanisms. This affects HikCentral Professional versions V2.3.1 through V2.6.2.

What is CVE-2025-39245 and how does it work?

CVE-2025-39245 is a CSV injection vulnerability with a CVSS score of 4.7 that enables attackers to inject executable commands through maliciously crafted CSV data files. When users import these compromised CSV files, the embedded commands execute within the application context, potentially compromising system availability and data processing integrity. This affects HikCentral Master Lite versions V2.2.1 through V2.3.2.

What is CVE-2025-39246 and what versions are vulnerable?

CVE-2025-39246 is an unquoted service path vulnerability with a CVSS score of 5.3 that occurs when service executable paths contain spaces but lack proper quotation marks in the service configuration. An authenticated local user with file write permissions can plant a malicious binary in a higher-priority path, causing Windows to execute it with system privileges. This affects HikCentral FocSign versions V1.4.0 through V2.2.0.

Has Hikvision released patches for these vulnerabilities?

Yes, Hikvision has released security patches addressing all three vulnerabilities. Users should upgrade to the latest versions to address these security issues.

What should HikCentral Professional users do to fix CVE-2025-39247?

HikCentral Professional users running versions V2.3.1 through V2.6.2 should upgrade to either version V2.6.3 or V3.0.1 to remediate the critical access control bypass vulnerability.

How can HikCentral Master Lite users address the CSV injection vulnerability?

HikCentral Master Lite users running versions V2.2.1 through V2.3.2 should upgrade to version V2.4.0 to address the CSV injection vulnerability.

What should HikCentral FocSign users do about the unquoted service path vulnerability?

HikCentral FocSign users running versions V1.4.0 through V2.2.0 should upgrade to version V2.3.0 to resolve the unquoted service path vulnerability.

Advisory

Multiple vulnerabilities reported in Hikvision HikCentral products

published: Sept. 4, 2025

Take action: If you're using any Hikvision HikCentral products, prioritize HikCentral Professional for patching. It has the most dangerous flaw. First, make sure the products are isolated from the internet and accessible from trusted networks.

Learn More

Hikvision is reporting three security vulnerabilities affecting multiple versions of its HikCentral product suite that could enable attackers to execute malicious commands and gain unauthorized administrative access to surveillance infrastructure.

HikCentral is a centralized management software used for video surveillance, access control, and integrated security operations.

Vulnerabilities summary:

CVE-2025-39247 (CVSS score 8.6) - Access Control Vulnerability that allows unauthenticated users to obtain administrative permissions remotely without authentication. The vulnerability exploits missing authentication checks on API endpoints, enabling attackers to bypass access control mechanisms. Affects HikCentral Professional versions V2.3.1 through V2.6.2
CVE-2025-39245 (CVSS score 4.7) - CSV Injection Vulnerability that enables attackers to inject executable commands through maliciously crafted CSV data files. When users import these compromised CSV files, the embedded commands execute within the application context, potentially compromising system availability and data processing integrity. Affects HikCentral Master Lite versions V2.2.1 through V2.3.2
CVE-2025-39246 (CVSS score 5.3) - Unquoted Service Path Vulnerability that occurs when service executable paths contain spaces but lack proper quotation marks in the service configuration. An authenticated local user with file write permissions can plant a malicious binary in a higher-priority path, causing Windows to execute it with system privileges. Affects HikCentral FocSign versions V1.4.0 through V2.2.0.

Hikvision has released security patches addressing all three vulnerabilities.

HikCentral Master Lite: Users running versions V2.2.1 through V2.3.2 should upgrade to version V2.4.0 to address the CSV injection vulnerability.
HikCentral FocSign: Users running versions V1.4.0 through V2.2.0 should upgrade to version V2.3.0 to resolve the unquoted service path vulnerability.
HikCentral Professional: Users running versions V2.3.1 through V2.6.2 should upgrade to either version V2.6.3 or V3.0.1 to remediate the critical access control bypass vulnerability.

Multiple vulnerabilities reported in Hikvision HikCentral products

Read More
Critical vulnerabilities reported in Tigo Energy Cloud connect …
Syrus4 IoT Gateway critical Vulnerability Threatens Thousands of …
Critical flaws reported in mySCADA myPRO manager and …
AVEVA Process Optimization Vulnerabilities
CISA reports multiple vulnerabilities in Emerson ValveLink products, …