Critical HIKVISION applyCT Flaw Allows Remote Code Execution
gbhackersA newly disclosed vulnerability, tracked as CVE-2025-34067, has been identified in HIKVISION’s widely deployed security management platform, applyCT (also known as HikCentral).
This critical flaw allows unauthenticated remote code execution (RCE), putting countless surveillance and security infrastructures at risk across government, commercial, and industrial sectors.
Its advanced analytics and scalable architecture make it a popular choice for organizations requiring robust surveillance and security management.
The platform’s widespread adoption means that vulnerabilities can have far-reaching consequences.
| Field | Value |
| CVE ID | CVE-2025-34067 |
| Published | 2025-07-02 |
| Endpoint | /bic/ssoService/v1/applyCT |
| CVSS Score | 10.0 (Critical) |
Technical Details
- Component Affected: applyCT (HikCentral)
- Vulnerability Type: Unauthenticated Remote Code Execution
- Root Cause: Use of a vulnerable version of the Fastjson library
- Attack Vector: Network (no authentication required)
- Endpoint: /bic/ssoService/v1/applyCT
- Exploit Mechanism: The endpoint deserializes untrusted JSON input using Fastjson’s auto-type feature, allowing attackers to load arbitrary Java classes via a ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE