Hikvision warned its partners Friday of two vulnerabilities affecting some versions of its HikCentral Professional security management software.
They identified the vulnerabilities as CVE-2024-25063 and CVE-2024-25064 and rated them as 7.5 and 4.3 using the CVSS v3.1 calculator.
The versions affected by the vulnerabilities are listed in our security advisory, which says that due to “insufficient server-side validation, a successful exploit of this vulnerability could allow an attacker to gain access to certain URLs that the attacker should not have access to. Thia lack of validation might also allow an attacker with login privileges to access certain resources they should not have access to by changing parameter values.
Hikvision told partners to check the advisory to learn the technical details and actionable information.
“While Hikvision is not aware of these vulnerabilities being exploited in the field, we encourage our partners to work with their customers following the guidance provided in the advisory to ensure proper cyber hygiene,” Hikvision said in a statement distributed to partners Friday.
Hikvision says that over the past few months, the company has been working with researchers Michael Dubell and Abdulazeez Omar, who reported the issues, “to patch and verify the successful mitigation of the reported vulnerabilities.”
Hikvision said it is committed to continuing to work with third-party security researchers to “find, patch, disclose and release updates to products in a timely manner that best protects the users of Hikvision products.”
To report any security issues or vulnerabilities in Hikvision products and solutions, contact the Hikvision Security Response Center at [email protected].