An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
Security readout for executives and security teams
Plain-English summary
CVE-2025-34067 is a critical unauthenticated remote code execution issue in Hikvision Integrated Security Management Platform. A vulnerable applyCT service can process unsafe data in a way that may let an attacker run commands on the server. For organizations using this platform, exposed management interfaces should be treated as high urgency.
Executive priority
Treat this as an urgent exposure-management item for any Hikvision security management platform in use. The combination of unauthenticated access, remote code execution, critical CVSS, and reported exploitation evidence warrants rapid inventory, containment, and vendor-guided remediation.
Technical view
The issue is unsafe Fastjson deserialization in /bic/ssoService/v1/applyCT. Untrusted input can trigger auto-type class loading and remote code execution on the underlying Java system. The bundle identifies CWE-502 and CVSS 4.0 score 10.0. Product and version detail is limited.
Likely exposure
Exposure is most likely where Hikvision Integrated Security Management Platform is reachable from the internet or broad internal networks. The source bundle only names version "0" and default status "unaffected," so asset validation against vendor guidance is necessary.
Exploitation context
The bundle says Shadowserver observed exploitation evidence on 2025-02-05 UTC and includes an exploit-tagged public reference. It is not marked as CISA KEV in the supplied data, so current active exploitation should not be assumed from this bundle alone.
Researcher notes
The strongest evidence is the CVE record, CVSS 10.0 vector, CWE-502 classification, and exploit-linked public references. The bundle does not provide a named vendor patch, precise affected version range, or KEV listing. Avoid assuming broader Hikvision product impact.
Mitigation direction
Identify all Hikvision Integrated Security Management Platform deployments and owners.
Check Hikvision guidance for fixed versions or official mitigations.
Restrict platform access to trusted admin networks only.
Block public access to the applyCT endpoint where operationally safe.
Monitor for suspicious requests to /bic/ssoService/v1/applyCT.
Prioritize isolation if patch status cannot be confirmed.
Validation and detection
Search asset inventory for Hikvision Integrated Security Management Platform.
Confirm whether /bic/ssoService/v1/applyCT is reachable externally.
Review logs for suspicious applyCT requests around and after 2025-02-05.
Confirm installed version and Fastjson dependency status with vendor documentation.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.