Hikvision’s Security Response Center published advisory HSRC-202508-01 on 28 August 2025, disclosing three CVEs across HikCentral Professional, HikCentral Master Lite, and HikCentral FocSign. The most serious — CVE-2025-39247 — carries a CVSS v3.1 base score of 8.6 and allows an unauthenticated remote attacker to obtain administrator-level permissions in HikCentral Professional. If your organisation runs HikCentral Professional on-premises, this advisory requires immediate attention.
What the Three CVEs Cover
Hikvision has confirmed three distinct vulnerabilities under this advisory, each affecting a different product in the HikCentral family:
- CVE-2025-39245 — CSV Injection in HikCentral Master Lite (CVSS 4.7): Affected versions V2.2.1 through V2.3.2. An attacker can embed executable commands inside maliciously crafted CSV data. Exploitation requires user interaction (UI:R in the CVSS vector), but the scope is marked as Changed (S:C), meaning impact can extend beyond the vulnerable component. Fixed in V2.4.0.
- CVE-2025-39246 — Unquoted Service Path in HikCentral FocSign (CVSS 5.3): Affected versions V1.4.0 through V2.2.0. An authenticated local user could potentially leverage the unquoted service path to escalate privileges. This is a local access vector, reducing immediate remote-exploitation risk, but it is a meaningful risk in shared or multi-tenant environments. Fixed in V2.3.0.
- CVE-2025-39247 — Unauthenticated Access Control in HikCentral Professional (CVSS 8.6): Affected versions V2.3.1 through V2.6.2, and V3.0.0. This is the critical issue. No authentication is required, no user interaction is needed, and the network attack vector is remote. A successful exploit grants an unauthenticated user admin-level permission over the HikCentral Professional platform — which controls video access, camera configuration, user management, and potentially integrated access-control functions. Fixed in V2.6.3 or V3.0.1.
Operational Implications for HikCentral Sites
HikCentral Professional is widely deployed in commercial buildings, strata complexes, clubs, retail precincts, and campus environments across Australia. It is the centralised management layer for Hikvision CCTV and, in many installations, integrated alarm and access-control events. An unauthenticated attacker who can reach the HikCentral Professional web interface — even from an internal network segment — could theoretically:
- Enumerate or export camera feeds and recorded footage
- Modify system configuration, including user accounts and camera groupings
- Disable recording schedules or tamper with event rules
- In integrated deployments, interact with access-control or alarm configurations exposed through the platform
The CVSS vector for CVE-2025-39247 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) indicates high confidentiality impact with a changed scope — meaning the compromise is not contained to HikCentral itself. Organisations that have not segmented their CCTV management network from corporate LAN or guest Wi-Fi should treat exposure as elevated.
For CVE-2025-39246 affecting FocSign (the digital signage component), the local-access requirement lowers the urgency compared to the Professional vulnerability, but it remains relevant in venues where staff or contractors have workstation access on the same host running FocSign services.
Mallen Services Recommendations
For facilities managers and IT teams operating Hikvision HikCentral environments, Mallen Services advises the following immediate steps:
- Identify your HikCentral Professional version now. Any installation running V2.3.1 through V2.6.2 or V3.0.0 is affected by the critical CVE-2025-39247. Log into the HikCentral Professional console and confirm the build version under System Settings.
- Prioritise upgrade to V2.6.3 or V3.0.1. Both fixed versions are available via Hikvision’s download portal, linked in the official advisory. Contact Hikvision technical support or your integrator if you have a support agreement in place.
- Check HikCentral Master Lite and FocSign versions and schedule updates to V2.4.0 and V2.3.0 respectively within your next maintenance window.
- Review network segmentation immediately. While patch deployment is arranged, confirm that the HikCentral server management interface is not directly reachable from untrusted network segments. If it is, implement firewall rules or VLAN restrictions to limit access to authorised management workstations only.
- Audit admin accounts and recent login activity in HikCentral Professional to check for any signs of unauthorised access prior to patching.
- Contact Mallen Services if you need assistance with version identification, upgrade planning, or post-patch verification on your HikCentral environment.
These vulnerabilities were responsibly disclosed to Hikvision’s HSRC by independent security researchers and patched versions are available now. There is no justification for delay in applying the CVE-2025-39247 fix given the severity score and the zero-authentication attack path.
Original source: https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-some-hikcentral-products/