Introduction
Unauthorized access to surveillance management infrastructure can result in loss of monitoring, tampering with security footage, and compromise of physical access controls. CVE-2025-39247 is a high-severity access control vulnerability in Hikvision's HikCentral Professional platform that could allow unauthenticated attackers to obtain full administrative privileges on affected systems.
About Hikvision and HikCentral Professional: Hikvision is one of the largest manufacturers of video surveillance equipment globally, with millions of devices deployed across commercial, government, and industrial environments. HikCentral Professional is their flagship centralized management solution for video surveillance, access control, and alarm systems, making it a critical component in many security operations.
Technical Information
CVE-2025-39247 is classified as an access control vulnerability in certain versions of HikCentral Professional. The vulnerability allows an unauthenticated user to escalate privileges and obtain administrator permissions on the management platform. The flaw is exploitable over the network, requires no prior authentication, and does not require user interaction. The CVSS v3.1 score is 8.6, reflecting the high impact and ease of exploitation.
The root cause is a failure in the platform's access control mechanisms, but no further technical details, vulnerable endpoints, or code snippets have been published in public sources. Attackers exploiting this vulnerability could gain full control over surveillance management, including camera feeds, access control, and alarm systems. No proof-of-concept or exploitation details are available as of this writing.
Affected Systems and Versions
- HikCentral Professional (specific affected versions have not been disclosed in public advisories)
- Only some versions are affected; organizations should consult the official Hikvision advisory for details as they become available
Vendor Security History
Hikvision has a history of critical vulnerabilities in its security management products:
- CVE-2025-34067: Remote code execution in HikCentral Professional (CVSS 10.0)
- CVE-2024-25063 and CVE-2024-25064: Access control issues in HikCentral Professional
- CVE-2023-28808: Access control flaw in Hybrid SAN and cluster storage
- CVE-2022-28173: Access control issue in wireless bridge products
The vendor has established a Security Response Center and has coordinated with external researchers, but the recurrence of high-impact vulnerabilities suggests ongoing challenges in secure development practices.