The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning about a critical remote code execution vulnerability affecting Industrial Video & Control’s Longwatch video surveillance and monitoring system.
The flaw enables unauthenticated attackers to execute arbitrary code with SYSTEM-level privileges, posing significant risks to organizations using the affected platform.
Critical Vulnerability Details
The vulnerability, identified as CVE-2025-13658, stems from improper control over code generation, allowing attackers to exploit an exposed endpoint via unauthenticated HTTP GET requests.
| CVE ID | CVSS v3.1 Score | CVSS v4 Score | Severity |
|---|---|---|---|
| CVE-2025-13658 | 9.8 | 9.3 | Critical |
The security flaw affects Longwatch versions 6.309 through 6.334. It carries a CVSS v3.1 score of 9.8 and a CVSS v4 score of 9.3, both classified as critical severity.
The vulnerability is particularly dangerous because it requires no authentication, has low attack complexity, and can be exploited remotely.
Successful exploitation grants attackers remote code execution capabilities with elevated SYSTEM-level privileges, potentially compromising the entire surveillance infrastructure.
The vulnerability impacts critical infrastructure sectors, including Energy, Water, and Wastewater Systems, with deployments worldwide.
The absence of code signing and execution controls in the affected versions allows attackers to execute malicious code without proper validation, leading to complete system compromise.
Industrial Video & Control strongly recommends that users immediately upgrade to Longwatch version 6.335 or later.
CISA advises organizations to minimize network exposure, isolate control systems behind firewalls, and implement secure remote access through updated VPN solutions.
Organizations should conduct thorough impact analysis before deploying defensive measures.
A concerned OT engineer responsibly disclosed the vulnerability. No public exploitation has been reported to CISA at this time.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.