CISA Warns: Critical Longwatch RCE Flaw (CVE-2025-13658, CVSS 9.8) Allows Unauthenticated SYSTEM Takeover of OT Surveillance

A critical security vulnerability has been identified in the Longwatch video surveillance and monitoring system developed by Industrial Video & Control (IV&C), posing a severe risk to industrial operational technology (OT) environments. The Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory detailing a flaw that permits attackers to seize control of these systems with the highest level of privileges, without requiring any credentials.

The vulnerability, tracked as CVE-2025-13658, carries a critical CVSS v3.1 base score of 9.8. It is categorized as “Improper Control of Generation of Code.”

The flaw resides in how the device handles incoming web traffic. According to the advisory, the vulnerability “allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint”. This critical gap exists “due to the absence of code signing and execution controls.”

The implications of this vulnerability are profound for organizations relying on Longwatch for monitoring critical infrastructure. Because the flaw can be triggered remotely without authentication, it offers a frictionless entry point for attackers.

“Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain remote code execution with elevated privileges,” the report states. Specifically, an attacker who successfully exploits this weakness gains “SYSTEM-level privileges,” giving them complete control over the surveillance server.

The vulnerability affects Longwatch versions 6.309 to 6.334. The flaw was reported to CISA by a “Concerned OT Engineer”.

Industrial Video & Control has released a patch to address this security gap. Users running versions 6.309 to 6.334 should upgrade to version 6.335 or later to ensure protection against this vulnerability.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply