Hikvision Vulnerabilities Allow Attackers to Inject Executable Commands

Hikvision has disclosed three critical security vulnerabilities impacting various versions of its HikCentral product suite, which could allow attackers to execute malicious commands and gain unauthorised administrative access. The vulnerabilities, identified by CVE identifiers CVE-2025-39245, CVE-2025-39246, and CVE-2025-39247, were reported to the Hikvision Security Response Centre (HSRC) by security researchers Yousef Alfuhaid, Nader Alharbi, Eduardo Bido, and Dr. Matthias Lutter. The most severe vulnerability, CVE-2025-39247, enables unauthenticated attackers to bypass access control in HikCentral Professional versions V2.3.1 through V2.6.2, with a high CVSS v3.1 base score of 8.6. This flaw arises from insufficient access control in the web service API endpoints, allowing specially crafted HTTP requests to invoke privileged operations without requiring user interaction or prior authentication credentials.

Additionally, CVE-2025-39245 represents a CSV injection vulnerability in HikCentral Master Lite versions V2.2.1 through V2.3.2, scoring 4.7 on the CVSS scale. This vulnerability permits attackers to inject executable commands through maliciously crafted CSV data files, which can execute embedded commands within the application context when imported by unsuspecting users. Furthermore, CVE-2025-39246 identifies an unquoted service path vulnerability in HikCentral FocSign versions V1.4.0 through V2.2.0, with a CVSS score of 5.3. This Windows-specific flaw allows authenticated attackers with local system access to exploit the service configuration, potentially executing malicious payloads instead of legitimate service binaries. Hikvision has released security patches to address these vulnerabilities, urging users to upgrade and tighten network and logging controls. 

Categories: Security Vulnerabilities, Access Control Issues, Software Exploits 

Tags: Hikvision, Security Vulnerabilities, HikCentral, CVE-2025-39245, CVE-2025-39246, CVE-2025-39247, Access Control, CSV Injection, Unquoted Service Path, Security Patches