Critical HIKVISION applyCT Vulnerability (CVE-2025-34067) Allows Remote Code Execution

7th July 2025, Kathmandu

A critical security flaw (CVE-2025-34067) has been discovered in HIKVISION applyCT, also known as HikCentral, posing a serious risk to global surveillance infrastructures.

Critical HIKVISION applyCT Vulnerability

This vulnerability allows unauthenticated remote code execution (RCE) and affects thousands of security systems across government, commercial, and industrial sectors.

What is HIKVISION applyCT (HikCentral)?

applyCT, marketed as HikCentral, is a powerful security management platform developed by HIKVISION. With advanced analytics, centralized monitoring, and a scalable architecture, it’s widely adopted for managing surveillance systems, video feeds, and security devices.

However, its popularity and widespread use mean that any vulnerability can have massive, far-reaching consequences.

CVE-2025-34067: Key Technical Details:

Component Affected: applyCT (HikCentral)

Vulnerability Type: Unauthenticated Remote Code Execution (RCE)

Attack Vector: Network-based, no authentication required

Root Cause: Vulnerable use of the Fastjson library

Vulnerable Endpoint: /bic/ssoService/v1/applyCT

Exploit Mechanism: Exploits Fastjson’s auto-type deserialization feature

Attackers can send a malicious JSON payload to this endpoint, leveraging a vulnerable deserialization process to load arbitrary Java classes from a remote LDAP server—specifically via the JdbcRowSetImpl class—resulting in full remote code execution on the target server.

Proof-of-Concept (PoC) Explained

In a typical exploit:

The attacker sends a crafted POST request with a JSON payload.

The datasource field is manipulated to point to a malicious LDAP server.

The system loads the remote class and executes it.

The attacker gains unauthorized access and control over the system.

Severity Level: CRITICAL

CVSS 4.0 Score: 10.0 (Maximum)

Risk Level: Extremely High

Authentication Required: No

Potential Impact of Exploitation

Organizations using vulnerable versions of applyCT are exposed to severe risks:

Full system compromise

Unauthorized access to surveillance footage and sensitive data

Disruption or manipulation of security systems and video feeds

Lateral movement within internal networks

Financial losses, reputational damage, and legal consequences

Recommended Mitigation Steps

To defend against CVE-2025-34067, organizations must take immediate action:

1. Upgrade Immediately

Update to a patched version of HikCentral that removes the use of vulnerable Fastjson versions.

2. Restrict Endpoint Access

Block access to /bic/ssoService/v1/applyCT from all untrusted networks or external traffic.

3. Monitor LDAP Traffic

Set up alerts and monitor for suspicious outbound LDAP traffic, a potential sign of exploitation.

4. Apply Vendor Security Updates

Regularly check and apply security patches released by HIKVISION to keep your infrastructure secure.

Final Thoughts

This vulnerability in HIKVISION applyCT is a wake-up call for organizations relying on centralized surveillance platforms. With the threat of remote code execution without authentication, the stakes are higher than ever.

Immediate patching and endpoint protection are crucial to mitigating this risk. Organizations should also audit existing deployments for exposure and update security protocols accordingly.

Stay updated on cybersecurity threats and mitigation tips at ICT Frame Magazine, your trusted source for IT news and analysis in Nepal and beyond.

For more: Critical HIKVISION applyCT Vulnerability