"Hikvision Patches High-Severity Vulnerability in Security Management System"

Chinese video surveillance equipment manufacturer Hikvision has recently announced patches for two vulnerabilities in its security management system, HikCentral Professional.  The most important of these flaws is CVE-2024-25063, a high-severity bug that could lead to unauthorized access to certain URLs.  The bug affects HikCentral Professional version 2.5.1 and below.  According to the company, due to insufficient server-side validation, a successful exploit of this vulnerability could allow an attacker to gain access to certain URLs that the attacker should not have access to.  HikCentral Professional is used to manage video, access control, alarm detection, and other security systems.  The second bug, CVE-2024-25064, has a medium severity rating because it requires authentication to be exploited.  All HikCentral Professional iterations from version 2.0.0 to 2.5.1 are affected.  The company noted that CVE-2024-25064 also exists because of insufficient server-side validation, allowing a logged in attacker to access resources they should not have access to, by modifying parameter values.  All customers are advised to apply the available patches as soon as possible, as vulnerabilities in Hikvision products are known to be exploited in malicious attacks.

SecurityWeek reports: "Hikvision Patches High-Severity Vulnerability in Security Management System"