CVE-2025-39247
Published: 29 August 2025
Summary
CVE-2025-39247 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-39247 is an access control vulnerability (CWE-284) present in some versions of HikCentral Professional. Published on 2025-08-29, it enables an unauthenticated user to obtain admin permissions. The issue carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), reflecting high severity due to network accessibility, low attack complexity, no privileges or user interaction required, and a scope change with high confidentiality impact.
An unauthenticated attacker can exploit this vulnerability remotely over the network. With no prerequisites for privileges or user interaction, exploitation grants admin-level access, potentially exposing sensitive configuration data or control over the affected HikCentral Professional instance.
Mitigation guidance is available in the Hikvision security advisory at https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-some-hikcentral-products/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26202
Vulnerability details
There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of access control flaw in public-facing HikCentral app grants admin privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations for logical access, directly preventing unauthenticated users from obtaining admin permissions in this access control vulnerability.
AC-14 explicitly identifies and restricts actions performable without identification or authentication, mitigating the unauthenticated admin access exploit.
IA-8 requires identification and authentication for non-organizational users, addressing remote unauthenticated access to sensitive admin functions.