LiveActive security incident?Get immediate response
CVE Record

CVE-2025-34067: Hikvision Integrated Security Management Platform Remote Command Execution via applyCT Fastjson

An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

CriticalCVSS 10Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

CVE-2025-34067 is a critical unauthenticated remote code execution issue in Hikvision Integrated Security Management Platform. A vulnerable applyCT service can process unsafe data in a way that may let an attacker run commands on the server. For organizations using this platform, exposed management interfaces should be treated as high urgency.

Executive priority

Treat this as an urgent exposure-management item for any Hikvision security management platform in use. The combination of unauthenticated access, remote code execution, critical CVSS, and reported exploitation evidence warrants rapid inventory, containment, and vendor-guided remediation.

Technical view

The issue is unsafe Fastjson deserialization in /bic/ssoService/v1/applyCT. Untrusted input can trigger auto-type class loading and remote code execution on the underlying Java system. The bundle identifies CWE-502 and CVSS 4.0 score 10.0. Product and version detail is limited.

Likely exposure

Exposure is most likely where Hikvision Integrated Security Management Platform is reachable from the internet or broad internal networks. The source bundle only names version "0" and default status "unaffected," so asset validation against vendor guidance is necessary.

Exploitation context

The bundle says Shadowserver observed exploitation evidence on 2025-02-05 UTC and includes an exploit-tagged public reference. It is not marked as CISA KEV in the supplied data, so current active exploitation should not be assumed from this bundle alone.

Researcher notes

The strongest evidence is the CVE record, CVSS 10.0 vector, CWE-502 classification, and exploit-linked public references. The bundle does not provide a named vendor patch, precise affected version range, or KEV listing. Avoid assuming broader Hikvision product impact.

Mitigation direction

  • Identify all Hikvision Integrated Security Management Platform deployments and owners.
  • Check Hikvision guidance for fixed versions or official mitigations.
  • Restrict platform access to trusted admin networks only.
  • Block public access to the applyCT endpoint where operationally safe.
  • Monitor for suspicious requests to /bic/ssoService/v1/applyCT.
  • Prioritize isolation if patch status cannot be confirmed.

Validation and detection

  • Search asset inventory for Hikvision Integrated Security Management Platform.
  • Confirm whether /bic/ssoService/v1/applyCT is reachable externally.
  • Review logs for suspicious applyCT requests around and after 2025-02-05.
  • Confirm installed version and Fastjson dependency status with vendor documentation.
  • Verify compensating controls restrict unauthenticated access.
  • Document patch or mitigation evidence for each instance.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-502: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-34067 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
10 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
4Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
10CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HVulnCheck

Vulnerability scoring details

Base CVSS 4.0 score

10Critical
CVSS 4.0 vector shape for CVE-2025-34067Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
HikvisionIntegrated Security Management Platform0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-502 · source CWE mapping

Deserialization of Untrusted Data

Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.