On August 28, 2025, the Hikvision Security Response Center (HSRC) issued Security Advisory SN No. HSRC-202508-01, detailing three critical vulnerabilities affecting various HikCentral products.
Collectively assigned CVE identifiers CVE-2025-39245, CVE-2025-39246, and CVE-2025-39247, these vulnerabilities range in severity from moderate to high and could enable attackers to execute unauthorized commands, escalate privileges, or obtain administrative access.
The first vulnerability, CVE-2025-39245, is a CSV Injection vulnerability discovered in HikCentral Master Lite versions 2.2.1 through 2.3.2.
In the affected versions, maliciously crafted CSV files could include formulas or commands that execute when opened by spreadsheet applications.
By embedding executable code into CSV fields, an attacker can trick operators into triggering harmful scripts simply by viewing exported logs or reports.
Rated with a base CVSS v3.1 score of 4.7 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L), this vector requires network access and user interaction but can have systemic impact if not mitigated.
Users are advised to upgrade to Master Lite version 2.4.0, where input sanitization has been implemented to neutralize embedded formulas.
Unquoted Service Path
The second issue, CVE-2025-39246, affects HikCentral FocSign versions 1.4.0 through 2.2.0. An Unquoted Service Path vulnerability arises when Windows service executables reside in file paths containing spaces but lack quotation marks in their service definitions.
An authenticated local user with file write permissions can plant a malicious binary in a higher-priority path, causing Windows to execute it with system privileges.
With a CVSS base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N), this vulnerabilitiy underscores the need for secure service configuration.
Hikvision has released FocSign version 2.3.0 to address the issue, enclosing all service paths in quotes and verifying executable signatures.
The most severe vulnerability disclosed is CVE-2025-39247, an Access Control vulnerability in HikCentral Professional versions 2.3.1 through 2.6.2.
By exploiting insufficient authentication checks, an unauthenticated remote attacker can bypass access controls and obtain administrative privileges.
Once admin rights are gained, adversaries can reconfigure system settings, create new accounts, or deploy further malware.
Scored at a critical 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), this vulnerability poses a high risk to enterprises relying on HikCentral Professional for security monitoring.
Hikvision recommends upgrading to either Professional version 2.6.3 or 3.0.1, both of which close the authentication loophole and strengthen session management.
A consolidated overview of the affected products and fixes is as follows:
| Product | CVE ID | Affected Versions | Fixed Version(s) |
|---|---|---|---|
| HikCentral Master Lite | CVE-2025-39245 | 2.2.1 – 2.3.2 | 2.4.0 |
| HikCentral FocSign | CVE-2025-39246 | 1.4.0 – 2.2.0 | 2.3.0 |
| HikCentral Professional | CVE-2025-39247 | 2.3.1 – 2.6.2 | 2.6.3 or 3.0.1 |
To obtain the patched versions, administrators should contact their regional technical support teams via Hikvision’s contact portal.
Detailed download links are available for FocSign 2.3.0 and Professional 2.6.3/3.0.1 on Hikvision’s website.
HSRC credits Yousef Alfuhaid and Nader Alharbi for jointly reporting the CSV Injection issue, Eduardo Bido for identifying the unquoted service path vulnerability, and Dr. Matthias Lutter for uncovering the access control bypass.
“We encourage security researchers to continue reporting findings to HSRC to help ensure the integrity of our products,” the advisory states.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
