March 4, 2024 at 08:48AM
Hikvision has released patches for two vulnerabilities in its security management system HikCentral Professional. The more serious flaw, CVE-2024-25063, could lead to unauthorized access to specific URLs. The second bug, CVE-2024-25064, requires authentication to be exploited. Hikvision urges customers to apply the patches promptly, as prior vulnerabilities have been exploited.
From the provided meeting notes, the key takeaways are:
1. Hikvision has announced patches for two vulnerabilities in its security management system HikCentral Professional:
a. The most important flaw, CVE-2024-25063, is a high-severity bug that could lead to unauthorized access to certain URLs. It affects HikCentral Professional version 2.5.1 and below.
b. The second bug, CVE-2024-25064, has a medium severity rating and affects all HikCentral Professional iterations from version 2.0.0 to 2.5.1.
2. Both vulnerabilities are due to insufficient server-side validation, potentially allowing attackers to gain unauthorized access to resources.
3. Security researchers Michael Dubell and Abdulazeez Omar are credited with identifying and reporting these vulnerabilities, and Hikvision has been working with them to patch the bugs.
4. Hikvision encourages its partners and customers to apply the available patches as soon as possible, as vulnerabilities in Hikvision products have been exploited in malicious attacks in the past.
5. While the company is not aware of these vulnerabilities being exploited in the field, they advise partners to ensure proper cyber hygiene.
It’s important to communicate these takeaways clearly to ensure that all stakeholders understand the severity of the vulnerabilities and the urgency of applying the patches to secure Hikvision’s security management system.