Hikvision, the Chinese video surveillance equipment manufacturer, has recently released patches to address two vulnerabilities in its HikCentral Professional security management system. The more critical of the two flaws, identified as CVE-2024-25063, presents a high-severity risk by potentially allowing unauthorized access to specific URLs. This vulnerability impacts HikCentral Professional versions 2.5.1 and earlier due to insufficient server-side validation. Exploiting this flaw could grant attackers access to restricted URLs, potentially compromising sensitive data. While the extent of data exposure and the potential for disrupting security systems remain unclear, Hikvision urges caution.
The second vulnerability, CVE-2024-25064, is rated 'medium' severity as it necessitates authentication for exploitation. This flaw affects all iterations of HikCentral Professional ranging from version 2.0.0 to 2.5.1. Like the first vulnerability, CVE-2024-25064 stems from insufficient server-side validation, enabling authenticated attackers to access unauthorized resources by altering parameter values.
Security researchers Michael Dubell and Abdulazeez Omar are credited with identifying and reporting these vulnerabilities. Hikvision acknowledges their collaboration over the past months to address the issues and validate the implemented mitigations. Despite no known exploitation of these vulnerabilities in the field, Hikvision advises partners to adhere to the guidance outlined in the advisory to maintain proper cyber hygiene. This notification underscores the importance of timely patching and proactive security measures to mitigate potential risks associated with such vulnerabilities.
In summary, Hikvision has taken proactive steps to address critical vulnerabilities in its HikCentral Professional security management system. The company's collaboration with security researchers reflects a commitment to enhancing product security and safeguarding against potential cyber threats. By promptly releasing patches and encouraging partners to prioritize cybersecurity protocols, Hikvision aims to bolster the resilience of its security infrastructure and protect users from potential exploitation.
