CVE-2025-34067

An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system.

CVSS

No CVSS.

References

Link	Resource
https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/HIKVISION/HIKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20applyCT%20Fastjson%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
https://s4e.io/tools/hikvision-applyct-remote-code-execution
https://vulncheck.com/advisories/hikvision-ismp-rce-applyct

Configurations

No configuration.

History

07 Jul 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-02 14:15

Updated : 2025-07-07 15:15

NVD link : CVE-2025-34067

Mitre link : CVE-2025-34067

CVE.ORG link : CVE-2025-34067

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

{"id": "CVE-2025-34067", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-02T14:15:24.250", "references": [{"url": "https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/HIKVISION/HIKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20applyCT%20Fastjson%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md", "source": "disclosure@vulncheck.com"}, {"url": "https://s4e.io/tools/hikvision-applyct-remote-code-execution", "source": "disclosure@vulncheck.com"}, {"url": "https://vulncheck.com/advisories/hikvision-ismp-rce-applyct", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-917"}]}], "descriptions": [{"lang": "en", "value": "An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system."}, {"lang": "es", "value": "Existe una vulnerabilidad de ejecuci\u00f3n remota de comandos no autenticados en el componente applyCT de Hikvision Integrated Security Management Platform debido al uso de una versi\u00f3n vulnerable de la librer\u00eda Fastjson. El endpoint /bic/ssoService/v1/applyCT deserializa la entrada de usuario no confiable, lo que permite a un atacante activar la funci\u00f3n de autotipado de Fastjson para cargar clases Java arbitrarias. Al referenciar una clase maliciosa mediante una URL LDAP, un atacante puede ejecutar c\u00f3digo remoto en el sistema subyacente."}], "lastModified": "2025-07-07T15:15:26.333", "sourceIdentifier": "disclosure@vulncheck.com"}