SN No. HSRC-202508-01
Edit: Hikvision Security Response Center (HSRC)
Initial Release Date: 2025-08-28
Summary
(1) There is a CSV Injection Vulnerability of certain HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data.
(2) There is an Unquoted Service Path Vulnerability of certain HikCentral FocSign versions. This could allow an authenticated user to potentially enable escalation of privilege via local access.
(3) There is a network environment Vulnerability of certain HikCentral Professional versions. This could allow an unauthenticated user to gain administrative access to the platform
CVE ID
CVE-2025-39245
CVE-2025-39246
CVE-2025-39247
Scoring
CVSS v3.1 is adopted in scoring these vulnerabilities
(http://www.first.org/cvss/specification-document)
CVE-2025-39245
Base score: 4.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L)
CVE-2025-39246
Base score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVE-2025-39247
Base score: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Affected Versions
Product Name
|
CVE ID
|
Affected Versions
|
HikCentral Master Lite
|
CVE-2025-39245
|
Versions between V2.2.1 and V2.3.2
|
HikCentral FocSign
|
CVE-2025-39246
|
Versions between V1.4.0 and V2.2.0
|
HikCentral Professional
|
CVE-2025-39247
|
Versions between V2.3.1 and V2.6.2
Version V3.0.0
|