Summary:  A critical RCE vulnerability has been found in the Hikvision HikCentral security management system, mainly in the apply CT component.

OEM	Hikvision
Severity	Critical
CVSS Score	10.0
CVEs	CVE-2025-34067
POC Available	Yes
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

It helps attackers to take full control of servers that manage security cameras and building systems without user interaction and authentication. The issue comes from a weakness in an old part of the software – Fastjson, a Java library.

Hackers can use this flaw to run harmful code remotely over the network. A PoC to exploit this vulnerability has been published already. 

Vulnerability Name	CVE ID	Product Affected	Severity
​ Remote Code Execution Vulnerability	CVE-2025-34067	HikCentral (applyCT)	Critical

Technical Summary 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-34067	HikCentral	The /bic/ssoService/v1/applyCT endpoint is vulnerable due to the use of an outdated Fastjson library with unsafe auto-type deserialization enabled. Attackers can send malicious JSON payloads containing LDAP references to attacker-controlled Java classes.	Remote code execution

A security flaw exists in the “/bic/ssoService/v1/applyCT” endpoint, which accepts JSON input. This allows attackers to send specially designed data that tricks the system into loading malicious code from an attacker-controlled server.

Since the system processes this data before checking if the user is logged in, even someone without any login credentials can exploit it. If successful, the attacker can run harmful code under the HikCentral service’s permissions. This helped them move through the network, access or control camera feeds, DVRs/NVRs, and other connected systems across the enterprise.Proof of Concept (PoC): 

(Source: PeiQi0 )

Remediation: 

• Apply Patches: Users should contact HIKVISION support for immediate remediation guidance and apply any security updates or hotfixes provided by the vendor. 

• Update Fastjson Library: Ensure the Fastjson library is updated to a secure patched version. 

Recommendations: 

• Configuration Check: If patching isn’t possible, block or redirect all traffic to the “/bic/ssoService/” endpoints – especially on systems that are accessible from the internet. 

• Network Segmentation: Isolate surveillance and physical security networks from business-critical systems. 

• Monitoring: Check logs for outbound LDAP traffic, suspicious Java class loads, or unexpected command execution from the HikCentral host. 

Conclusion: 
This vulnerability helps attackers to take full control of the system, Publicly available code makes it easy for attackers to exploit this flaw. Because of the critical risk, it has received the maximum severity score (CVSS 10.0).  

If not fixed, attackers could turn off security cameras, change alarm settings, delete important evidence, and even watch staff movements live. To protect against this threat, it’s urgent to install the latest patch, isolate the system from the internet and closely monitor for suspicious activity. 

References: 

• https://covertaccessteam.substack.com/p/critical-hikvision-flaw-exposes-entire 

• https://s4e.io/tools/hikvision-applyct-remote-code-execution