Multiple Hikvision Vulnerabilities Let Attackers Inject Executable Commands

Hikvision has disclosed three significant security vulnerabilities affecting multiple versions of its HikCentral product suite that could enable attackers to execute malicious commands and gain unauthorized administrative access. 

The vulnerabilities, assigned CVE identifiers CVE-2025-39245, CVE-2025-39246, and CVE-2025-39247, were reported to the Hikvision Security Response Center (HSRC) on by security researchers Yousef Alfuhaid, Nader Alharbi, Eduardo Bido, and Dr. Matthias Lutter.

Key Takeaways
1. CVE-2025-39247 lets unauthenticated attackers bypass access control in HikCentral Professional.
2. It exploits missing authentication checks on API endpoints.
3. Fix by upgrading and tightening network and logging controls.

Access Control Vulnerability

The most severe vulnerability (CVE-2025-39247) affects HikCentral Professional versions V2.3.1 through V2.6.2, carrying a high CVSS v3.1 base score of 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). 

This access control flaw allows unauthenticated remote attackers to obtain administrator privileges without requiring user interaction or prior authentication credentials.

Technically, the root cause lies in insufficient access control within the web service API endpoints of HikCentral Professional. 

Certain administrative functions fail to properly verify user authentication tokens, allowing specially crafted HTTP requests to invoke privileged operations. 

CSV Injection Flaw

The first vulnerability (CVE-2025-39245) represents a CSV injection attack vector in HikCentral Master Lite versions V2.2.1 through V2.3.2. 

With a CVSS score of 4.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L), this vulnerability enables attackers to inject executable commands through maliciously crafted CSV data files. 

When unsuspecting users import these compromised CSV files, the embedded commands execute within the application context, potentially compromising system availability and data processing integrity.

Service Path Vulnerability

HikCentral FocSign versions V1.4.0 through V2.2.0 contain an unquoted service path vulnerability (CVE-2025-39246) scoring 5.3 on the CVSS scale (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). 

This Windows-specific vulnerability occurs when service executable paths contain spaces but lack proper quotation marks in the service configuration.

Authenticated attackers with local system access can exploit this flaw by placing malicious executables in strategic filesystem locations. 

 When the vulnerable service starts, Windows may execute the attacker’s payload instead of the legitimate service binary due to path resolution ambiguity.

CVE ID	Title	CVSS 3.1 Score	Severity
CVE-2025-39245	CSV Injection in HikCentral Master Lite	4.7	Medium
CVE-2025-39246	Unquoted Service Path in HikCentral FocSign	5.3	Medium
CVE-2025-39247	Access Control Bypass in HikCentral Professional	8.6	High

Patching Required

Hikvision has released security patches addressing all three vulnerabilities. HikCentral Master Lite users should upgrade to version V2.4.0, while FocSign users require version V2.3.0. 

The most critical update involves HikCentral Professional, where users must install either V2.6.3 or V3.0.1 to remediate the severe access control bypass vulnerability.

Organizations should prioritize patching CVE-2025-39247 due to its high severity rating and potential for remote exploitation without authentication. 

The vulnerability’s network attack vector and changed scope classification indicate that successful exploitation could impact additional systems beyond the initially compromised target. 

Security teams should implement comprehensive network segmentation to limit potential attack propagation.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post Multiple Hikvision Vulnerabilities Let Attackers Inject Executable Commands appeared first on Cyber Security News.