CVE-2025-34067
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-11-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unauthenticated remote command execution issue in the applyCT component of the Hikvision Integrated Security Management Platform. It arises because the platform uses a vulnerable version of the Fastjson library that deserializes untrusted user input at the /bic/ssoService/v1/applyCT endpoint. An attacker can exploit Fastjson's auto-type feature by referencing a malicious Java class via an LDAP URL, which allows them to execute arbitrary code remotely on the affected system.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code remotely on the affected system without any authentication. This means the attacker could take full control of the system, potentially leading to data theft, system disruption, installation of malware, or further attacks within the network.