Ethical Hacking News
Severe vulnerabilities have been discovered in the popular security software Hikvision HikCentral, which poses a significant threat to organizations relying on it for their security infrastructure. The flaws allow an attacker to gain admin rights, risking full control over configurations, logs, and critical monitoring functions.
Severe vulnerabilities have been discovered in Hikvision HikCentral, posing a significant threat to organizations relying on it for security infrastructure.Affected versions include HikCentral Master Lite V2.4.0, FocSign V2.3.0, and Professional V3.0.1.Organizations should take immediate action to patch their systems with the latest updates provided by Hikvision.HikVision has released guidance for affected customers, emphasizing the importance of applying updates immediately to prevent potential attacks.
Severe vulnerabilities have been discovered in the popular security software Hikvision HikCentral, which is widely used across various industries to manage surveillance cameras, control building access, and integrate data from multiple devices. The Hikvision HikCentral flaw allows an attacker to gain admin rights, risking full control over configurations, logs, and critical monitoring functions.
Security researchers have identified three vulnerabilities impacting Hikvision HikCentral, which are as follows:
CVE-2025-39245 – Base score: 4.7 – There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data.
CVE-2025-39246 – Base score: 5.3 – There is an Unquoted Service Path Vulnerability in some HikCentral FocSign versions. This could allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-39247 – Base score: 8.6 – There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.
The three vulnerabilities are rated as high severity, and they pose a significant threat to organizations relying on Hikvision HikCentral for their security infrastructure. An attacker can exploit these flaws to take over critical functions, install malware, create hidden accounts, or exfiltrate sensitive information.
HikCentral serves as the backbone for many organizations' security infrastructure, and its reliability is crucial for maintaining the safety and continuity of their operations. However, with the discovery of these severe vulnerabilities, companies should treat this disclosure as a wake-up call.
The affected versions include:
Product NameCVE IDAffected VersionsFixed VersionHikCentral Master LiteCVE-2025-39245Versions between V2.2.1 and V2.3.2V2.4.0HikCentral FocSignCVE-2025-39246Versions between V1.4.0 and V2.2.0V2.3.0HikCentral ProfessionalCVE-2025-39247Versions between V2.3.1 and V2.6.2Version V3.0.0V2.6.3 or V3.0.1
Organizations running these builds should take immediate action to patch their systems with the latest updates provided by Hikvision in their official security bulletin.
In HikCentral's case, the risk increases because attackers don't even need to authenticate first. They can approach the system anonymously, exploit the flaw, and instantly gain elevated control. This bypass undermines all trust in standard authentication processes.
Hikvision has already released guidance for affected customers, and the best step forward involves applying updates immediately. HikCentral administrators should:
Harden the environment while applying the update: limit external exposure
Check the version number of their deployment. If it falls within the affected ranges, it requires attention.
Download and install the latest patches provided by Hikvision in their official security bulletin.
It is essential for organizations to take proactive measures to secure their systems and prevent potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Hikvision-HikCentral-Flaw-Exposed-A-Security-Nightmare-for-Organizations-ehn.shtml
https://securityaffairs.com/181896/hacking/severe-hikvision-hikcentral-product-flaws-what-you-need-to-know.html
https://securityonline.info/multi-flaws-found-in-hikcentral-including-a-bypass-for-admin-access-cve-2025-39247/
https://nvd.nist.gov/vuln/detail/CVE-2025-39245
https://www.cvedetails.com/cve/CVE-2025-39245/
https://nvd.nist.gov/vuln/detail/CVE-2025-39246
https://www.cvedetails.com/cve/CVE-2025-39246/
https://nvd.nist.gov/vuln/detail/CVE-2025-39247
https://www.cvedetails.com/cve/CVE-2025-39247/
Published: Thu Sep 4 06:52:07 2025 by llama3.2 3B Q4_K_M
