CVE-2025-39247: 
Hikvision HikCentral Professional vulnerability analysis and mitigation

A critical Access Control Vulnerability (CVE-2025-39247) was discovered in HikCentral Professional versions between V2.3.1 and V2.6.2, as well as Version V3.0.0. The vulnerability, disclosed on August 28, 2025, allows an unauthenticated user to obtain administrative permissions in the system. The flaw received a CVSS v3.1 base score of 8.6, indicating high severity (Hikvision Advisory, Security Online).

The vulnerability is characterized by insufficient authentication checks in HikCentral Professional's access control mechanism. It has been assigned a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating that it can be exploited remotely with low attack complexity, requires no privileges or user interaction, has changed scope, and can result in high confidentiality impact without affecting integrity or availability (NVD, Hikvision Advisory).

The exploitation of this vulnerability could allow attackers to bypass access controls and gain administrative privileges in HikCentral Professional deployments. Once admin rights are obtained, adversaries can potentially reconfigure system settings, create new accounts, or deploy additional malware. Given HikCentral's role in video management and enterprise control systems, successful exploitation could lead to compromise of surveillance infrastructure and manipulation of access policies (Security Online).

Hikvision has released patches to address this vulnerability. Users are advised to upgrade to either HikCentral Professional version 2.6.3 or version 3.0.1, both of which include fixes that close the authentication loophole and strengthen session management. Organizations should contact their regional technical support teams to obtain the patched versions (Hikvision Advisory).