Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN586
_____________________________________________________________________

DATE                : 05/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running HikCentral Master Lite versions
                                    prior to 2.4.0,
                     HikCentral FocSign versions prior to 2.3.0,
             HikCentral Professional versions prior to 2.6.3, 3.0.1.

=====================================================================
https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-some-hikcentral-products/
_____________________________________________________________________

Security Vulnerabilities in some HikCentral Products

SN No. HSRC-202508-01

Edit: Hikvision Security Response Center (HSRC)

Initial Release Date: 2025-08-28

 

Summary

(1) There is a CSV Injection Vulnerability in some HikCentral
Master Lite versions. This could allow an attacker to inject
executable commands via malicious CSV data.

(2) There is an Unquoted Service Path Vulnerability in some
HikCentral FocSign versions. This could allow an authenticated
user to potentially enable escalation of privilege via local
access.

(3) There is an Access Control Vulnerability in some HikCentral
Professional versions. This could allow an unauthenticated user
to obtain the admin permission.

 
CVE ID

CVE-2025-39245

CVE-2025-39246

CVE-2025-39247

 

Scoring

CVSS v3.1 is adopted in scoring these vulnerabilities

(http://www.first.org/cvss/specification-document）

CVE-2025-39245

Base score: 4.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L)

CVE-2025-39246

Base score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVE-2025-39247

Base score: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

 

Affected Versions and Fix

Product Name      CVE ID    Affected Versions   Fixed Version

HikCentral Master Lite  CVE-2025-39245  Versions between V2.2.1
and V2.3.2     V2.4.0

HikCentral FocSign   CVE-2025-39246   Versions between V1.4.0
and V2.2.0    V2.3.0

HikCentral Professional   CVE-2025-39247   Versions between
V2.3.1 and V2.6.2     Version V3.0.0
V2.6.3 or V3.0.1


Obtaining Fixed Version

Contact the local technical support team (click to select a
country or region and check the detail technical service) to
get the support.

 
Source of Vulnerability Information

These vulnerabilities were reported to HSRC by Yousef
Alfuhaid / Nader Alharbi (joint submission), Eduardo Bido,
and Dr. Matthias Lutter.

 
Contact Us

To report any security issues or vulnerabilities in Hikvision
products and solutions, please contact Hikvision Security
Response Center at hsrc@hikvision.com.

Hikvision would like to thank all security researchers for
your attention to our products.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================