Hackers can exploit various security flaws in Hikvision devices, permitting them to issue harmful commands.
Hikvision Discloses Critical Security Vulnerabilities in HikCentral Product Suite
Hikvision, a leading provider of video surveillance products and solutions, has disclosed three critical security vulnerabilities in its HikCentral product suite. The vulnerabilities were reported through the company's Security Response Center by security researchers Yousef Alfuhaid, Nader Alharbi, Eduardo Bido, and Dr. Matthias Lutter.
The most severe vulnerability, CVE-2025-39247, affects HikCentral Professional versions V2.3.1 through V2.6.2 and has a high CVSS v3.1 base score of 8.6. This access control flaw allows unauthenticated remote attackers to obtain administrator privileges without requiring user interaction or prior authentication credentials. The most critical update involves HikCentral Professional, where users must install either V2.6.3 or V3.0.1 to remediate this severe access control bypass vulnerability.
The first vulnerability, CVE-2025-39245, represents a CSV injection attack vector in HikCentral Master Lite versions V2.2.1 through V2.3.2. With a CVSS score of 4.7, this vulnerability enables attackers to inject executable commands through maliciously crafted CSV data files. HikCentral Master Lite users should upgrade to version V2.4.0 to address this issue.
HikCentral FocSign versions V1.4.0 through V2.2.0 are also affected by a vulnerability, CVE-2025-39246, scoring 5.3 on the CVSS scale. However, no further details about this vulnerability have been disclosed. Users of FocSign should upgrade to version V2.3.0 to mitigate potential risks.
Successful exploitation of CVE-2025-39247 could impact additional systems beyond the initially compromised target due to its network attack vector and changed scope classification. When the vulnerable service starts, Windows may execute the attacker's payload instead of the legitimate service binary due to path resolution ambiguity.
In some cases, authenticated attackers with local system access can exploit this flaw by placing malicious executables in strategic filesystem locations. This vulnerability is Windows-specific and occurs when service executable paths contain spaces but lack proper quotation marks in the service configuration.
Organizations should prioritize patching CVE-2025-39247 due to its high severity rating and potential for remote exploitation without authentication. Security teams should implement comprehensive network segmentation to limit potential attack propagation. Hikvision has released security patches addressing all three vulnerabilities.
The root cause of this vulnerability lies in insufficient access control within the web service API endpoints of HikCentral Professional. The security company encourages users to stay vigilant and promptly apply security updates to ensure the continued protection of their systems.
