September 4, 2025 By Pierluigi Paganini
Hikvision HikCentral flaw allows unauthenticated users to gain admin rights, risking full control over configs, logs, and critical monitoring.
Security researchers warn of three vulnerabilities impacting Hikvision HikCentral, which is a centralized management software used across many industries for video surveillance, access control, and integrated security operations.
The three vulnerabilities are:
- CVE-2025-39245 – Base score: 4.7 – There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data.
- CVE-2025-39246 – Base score: 5.3 – There is an Unquoted Service Path Vulnerability in some HikCentral FocSign versions. This could allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2025-39247 – Base score: 8.6 – There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.
One of them was rated as high severity, and it stands out because it allows an unauthenticated user to escalate privileges and ultimately gain administrative access to the system. When attackers can elevate their privileges without even logging in, they essentially hold the keys to the entire environment. That creates a direct path to manipulating configurations, tampering with logs, or even shutting down critical monitoring functions.
