Multi Flaws Found in HikCentral, Including a Bypass for Admin Access (CVE-2025-39247)

The Hikvision Security Response Center (HSRC) has released a new advisory detailing three vulnerabilities affecting different versions of the company’s HikCentral product line. The flaws range from CSV injection to privilege escalation and critical access control bypasses.

According to HSRC:

• CVE-2025-39245 (CVSS 4.7) – There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data.
• CVE-2025-39246 (CVSS 5.3) – There is an Unquoted Service Path Vulnerability in some HikCentral FocSign versions. This could allow an authenticated user to potentially enable escalation of privilege via local access.
• CVE-2025-39247 (CVSS 8.6) – There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.

The last vulnerability represents the most severe risk, as it enables full administrative takeover of HikCentral Professional without prior authentication.

HSRC confirmed the following impacted versions and available patches:

Affected Versions and Fix

The vulnerabilities present different levels of risk:

• CSV Injection: Exploitation could lead to execution of malicious payloads once exported data is opened in spreadsheet tools.
• Unquoted Service Path: While requiring local access, it provides attackers with a stepping stone for privilege escalation.
• Access Control Bypass: The most dangerous, as it gives remote unauthenticated attackers full administrator rights in HikCentral Professional deployments.

Given HikCentral’s role in video management and enterprise control systems, successful exploitation could allow attackers to compromise surveillance infrastructure, manipulate access policies, or disrupt critical services.

Related Posts:

• Hikvision HikCentral Master Lite and Professional Affected by Multi Vulnerabilities
• Hikvision Patches Security Flaws (CVE-2024-25063 & 25064): Update Your HikCentral Pro
• Microsoft Fixes Bug That Caused Windows Server Clusters to Fail
• Hikvision Patches Security Flaw in Network Cameras, Preventing Cleartext Credential Transmission
• Canada Bans Hikvision Operations Nationwide Citing National Security Threat

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.