CriticalPublic exploit

Unauthenticated RCE in Hikvision Integrated Security Management Platform applyCT via Fastjson deserialization

IdentifiersCVE-2025-34067CWE-502· Deserialization of Untrusted Data

CVE-2025-34067 is an unauthenticated remote code execution vulnerability in the applyCT component of Hikvision Integrated Security Management Platform. According to the provided content, the /bic/ssoService/v1/applyCT endpoint deserializes untrusted user-supplied data using a vulnerable version of the Fastjson library. Because Fastjson auto-type can be abused to instantiate attacker-controlled classes, a remote attacker can supply crafted serialized input that references a malicious class over LDAP, causing the target to load arbitrary Java classes and execute attacker-controlled code on the underlying system. The issue is therefore a Java unsafe deserialization flaw in a network-reachable endpoint, with exploitation requiring no authentication. The content also states exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote code execution on the affected Hikvision management platform. An attacker could execute arbitrary commands on the host system, fully compromise the application server, access or manipulate surveillance-management data and functions, establish persistence, pivot further into connected environments, and potentially disrupt or take control of security-management operations.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or disable external access to the /bic/ssoService/v1/applyCT endpoint and avoid exposing the management platform directly to the internet. Place the system behind VPN or zero-trust access controls, limit access to trusted administrative networks, and monitor for suspicious requests to the applyCT endpoint and for outbound LDAP/RMI-style lookups from the server. Network segmentation around the management platform and egress filtering to block unnecessary directory/protocol lookups can reduce exploitability until patches are applied.

Remediation

Patch, then assume compromise.

Apply the vendor patch or fixed release for Hikvision Integrated Security Management Platform/HikCentral Professional that addresses CVE-2025-34067. The provided content indicates patches are available. Because the root cause is use of a vulnerable Fastjson version and unsafe deserialization behavior, remediation should include upgrading Fastjson to a non-vulnerable version and removing or disabling unsafe auto-type deserialization in the affected applyCT code path.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app

socradar blogNews

Apr 17, 2026

Iran War Cyber Threat Outlook: Conflict Phases and What Comes Next

A specific vulnerability affecting IP camera/CCTV firmware that is called out as relevant amid increased targeting of camera infrastructure by Iran-linked actors.

cyber security newsNews

Mar 18, 2026

Iran-Linked Cyber Campaigns Converge With Electronic and Psychological Warfare as Regional Conflict Escalates

A specific vulnerability affecting Hikvision cameras that was reportedly exploited during scanning and compromise activity against exposed IoT devices.

resecurity blogNews

Mar 17, 2026

Resecurity | Iran War: Kinetic, Cyber, Electronic and Psychological Warfare Convergence

An authentication/command-related vulnerability affecting Hikvision cameras that pro-Iranian actors were reportedly targeting.

polyswarmNews

Mar 16, 2026

Footholds, Live Feeds, and Lifelines: Iranian Cyber Operations Surviving, Not Thriving

A remote code execution vulnerability in Hikvision management platforms targeted in Iran-linked scanning and exploitation activity involving internet-connected cameras.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-34067

NVD

nvd.nist.gov/vuln/detail/CVE-2025-34067

MITRE CWE · CWE-502

Deserialization of Untrusted Data

github.com

github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/HIKVISION/HIKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20applyCT%20Fastjson%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md

s4e.io

s4e.io/tools/hikvision-applyct-remote-code-execution

vulncheck.com

vulncheck.com/advisories/hikvision-ismp-rce-applyct