Cyber Resilience

CVE-2025-39247

High

Published: 29 August 2025

Published
29 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0024 46.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-39247 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-39247 is an access control vulnerability (CWE-284) present in some versions of HikCentral Professional. Published on 2025-08-29, it enables an unauthenticated user to obtain admin permissions. The issue carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), reflecting high severity due to network accessibility, low attack complexity, no privileges or user interaction required, and a scope change with high confidentiality impact.

An unauthenticated attacker can exploit this vulnerability remotely over the network. With no prerequisites for privileges or user interaction, exploitation grants admin-level access, potentially exposing sensitive configuration data or control over the affected HikCentral Professional instance.

Mitigation guidance is available in the Hikvision security advisory at https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-some-hikcentral-products/.

EU & UK References

Vulnerability details

There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct unauthenticated remote exploitation of access control flaw in public-facing HikCentral app grants admin privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-29315Shared CWE-284
CVE-2025-55261Shared CWE-284
CVE-2026-21636Shared CWE-284
CVE-2025-57130Shared CWE-284
CVE-2024-53348Shared CWE-284
CVE-2025-20229Shared CWE-284
CVE-2026-24300Shared CWE-284
CVE-2026-20750Shared CWE-284
CVE-2025-2280Shared CWE-284
CVE-2025-70064Shared CWE-284

Affected Assets

HikCentral Professional
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for logical access, directly preventing unauthenticated users from obtaining admin permissions in this access control vulnerability.

prevent

AC-14 explicitly identifies and restricts actions performable without identification or authentication, mitigating the unauthenticated admin access exploit.

prevent

IA-8 requires identification and authentication for non-organizational users, addressing remote unauthenticated access to sensitive admin functions.

References