Chinese video surveillance equipment manufacturer Hikvision has swiftly responded to security concerns by announcing patches for two vulnerabilities discovered in its security management system, HikCentral Professional. The more critical of the two, CVE-2024-25063, poses a high-severity risk by allowing unauthorized access to specific URLs due to insufficient server-side validation. HikCentral Professional, a comprehensive system for managing video, access control, alarm detection, and other security features, is impacted in versions 2.5.1 and below. Although the extent of potential data exposure and the ability to control or disrupt security systems remains unclear, Hikvision has taken proactive measures to address the vulnerability.
The second identified bug, CVE-2024-25064, carries a ‘medium’ severity rating, requiring authentication for exploitation. Present in all HikCentral Professional iterations from version 2.0.0 to 2.5.1, this vulnerability arises from insufficient server-side validation, enabling a logged-in attacker to access unauthorized resources by manipulating parameter values. Security researchers Michael Dubell and Abdulazeez Omar were credited with discovering and reporting these vulnerabilities, collaborating with Hikvision to develop patches and validate mitigations. While Hikvision asserts that there is no evidence of these vulnerabilities being exploited in the field, they urge partners to follow provided guidance to ensure proper cyber hygiene.
