Hikvision ApplyCT Exploit: How Fixed IP SIM CCTV Systems Are at Risk.

A Practical Guide for Securing IoT SIM-Based Surveillance and M2M Installations

In mid-2025, a severe vulnerability surfaced within Hikvision’s flagship video surveillance platform—HikCentral Professional—that sent shockwaves across the global security industry. Known as CVE‑2025‑34067, this exploit leverages a deserialization flaw in the platform’s Single Sign-On (SSO) service, allowing remote attackers to take complete control of unpatched systems. While the attack vector is software-based, the real-world implications are devastating, particularly for CCTV deployments using 4G/5G routers and Fixed Public IP SIM cards—a setup common in commercial, industrial, and temporary surveillance environments.

This post explores how the Hikvision ApplyCT vulnerability works, what happens when it’s exploited, and how installers and businesses using IoT or M2M SIMs can protect themselves. Whether you’re a security professional, IT admin, or installer deploying mobile surveillance, this guide breaks down the technical threat—and offers practical defences in plain English.

🔍 Part I: Inside the Hikvision ApplyCT Vulnerability

▶ What Is It?

CVE-2025-34067 is a critical remote code execution (RCE) flaw in Hikvision’s HikCentral Professional (v2.4.x and earlier), specifically in the endpoint:

bashCopyEdit/bic/ssoService/v1/applyCT

This API, used for single sign-on (SSO), was implemented using Fastjson, a popular but dangerous Java library that allows deserialization of incoming JSON data. When Fastjson is misconfigured with autoType enabled (as in this case), attackers can send malicious payloads that trick the application into loading and executing rogue Java classes.

▶ How Is It Exploited?

A hacker sends a crafted JSON POST request to the vulnerable endpoint.
The server parses the data using Fastjson, which then loads a class from a remote LDAP/RMI URL—such as ldap://attacker[.]com/Exploit.
That class is deserialized and executed within HikCentral’s context—allowing arbitrary code execution.

No authentication is required. No login needed. If the vulnerable endpoint is exposed to the internet—particularly via a router with port forwarding—it’s game over.

▶ Timeline of Discovery

30 June 2025 – Reported to Hikvision’s PSIRT.
2 July 2025 – CVE registered, advisory issued.
3–4 July 2025 – Proof-of-concept (PoC) tools released publicly.
By 7 July 2025 – Mass scanning and exploitation confirmed in the wild.

The issue is rated CVSS 10.0—the maximum severity possible.

▶ Real-World Risk

When the endpoint is exposed (e.g. via port forwarding on a public IP), hackers can:

Disable or loop surveillance footage.
Replace firmware or drop persistent backdoors.
Exfiltrate camera streams or stored video.
Use the compromised system to launch attacks on other devices in the same LAN.

📉 The Fallout of an Exploited CCTV System

💸 1. Skyrocketing Cellular Data Usage

Many HikCentral deployments use Fixed Public IP SIM cards for remote access via 4G/5G routers. Once compromised:

Attackers stream or download live and stored video to their servers.
Some use devices as botnet nodes to relay data or mine cryptocurrency.
Others use the SIM’s connectivity to launch outbound attacks.

This leads to:

Massive data bills (hundreds of gigabytes in some cases).
Emergency shutdowns by mobile providers.
Installers and end-users caught off-guard with unexpected costs running into thousands.

🛑 2. Operational Downtime

Cameras may:

Go offline.
Appear to work while silently recording nothing.
Replay the same footage in a loop.
Refuse connections from legitimate clients.

For sites depending on 24/7 surveillance—construction yards, retail chains, ATMs—this is more than just annoying. It can invalidate insurance and compromise safety.

🕵️‍♂️ 3. Legal & Reputational Risk

A single vulnerable endpoint could:

Let an attacker into the wider network (e.g., corporate LAN via pivoting).
Result in GDPR violations due to leaked footage or data.
Trigger fines, lost business, or even lawsuits.

🌐 Why Fixed IP SIMs Make This Worse

Many CCTV installers favour Fixed IP SIM cards to provide remote access via port forwarding. It seems simple:

Assign a public IP.
Forward port 80/443/554 to a camera or NVR.
Job done—client can view their cameras remotely.

But this configuration is fundamentally insecure.

🔓 Exposure Chain

Fixed Public IP → reachable globally.
Port Forwarding → opens specific services to the world.
Default credentials / unpatched software → wide open to attack.

Result: Every exposed camera/NVR becomes a visible target to automated scanners.

Attackers use tools that scan huge IP blocks for known endpoints like /bic/ssoService/* and exploit them automatically. It’s not “if,” but when.

🛠 A Practical Installer’s Guide to Locking Down CCTV Systems

Let’s break this into layers—like a proper defence-in-depth strategy.

🧱 1. SIM & Network-Level Security

✅ Use Private or VPN-Based APNs

Don’t use public internet-facing IPs unless absolutely necessary.
Many M2M SIM providers offer Private IP with VPN access (e.g., IPSEC, OpenVPN).
Devices are only accessible once connected to the VPN—no exposure.

✅ SIM Firewalls & IP Whitelisting

Enable firewall rules at the SIM provider level.
Whitelist access from known management IPs only.

✅ Disable All Unused Ports

Avoid exposing ports like 80 (HTTP), 443 (HTTPS), 554 (RTSP), 8000, or 8080.
Use VPN to access management interfaces securely.

📶 2. Router Security

✅ Use Industrial-Grade Routers

Consumer routers often lack security features.
Use models from Teltonika, InHand, Robustel, Peplink etc.

✅ Firmware Updates

Update firmware regularly.
Disable automatic WAN-based access to admin GUI.

✅ VPN-Only Management

Only expose OpenVPN/IPSec ports, not web GUIs.
Disable remote SSH and Telnet unless locked to whitelisted IPs.

✅ Disable UPNP

Universal Plug and Play opens random ports automatically—massively risky.

📷 3. Device-Level Security

✅ Patch Every Device

Update all Hikvision firmware to the latest version.
HikCentral should be 2.5.5 or later, which disables Fastjson and secures /applyCT.

✅ Change All Default Credentials

No “admin / 12345” logins. Use strong, unique passwords.

✅ Disable P2P Services

Services like Hik-Connect can open unmonitored tunnels out.
Disable them if using Fixed IP or VPN setups.

✅ VLAN Isolation

Cameras on their own subnet (e.g., 192.168.88.0/24).
Management interface on another subnet.
Use router firewall rules to enforce strict traffic flow.

📊 What Happens If You Don’t Patch?

Impact Area	Consequence
Data Usage	100–500GB/day exfiltrated, leading to SIM shutdown or overage
Video Surveillance	Feeds disabled, tampered, or looped
Customer Experience	Emergency support calls, loss of trust
Legal Compliance	GDPR/data breach fines if footage is leaked
Installer Reputation	May be blamed for poor setup or weak security
Total Cost	£500–£5000+ per incident depending on scale

❓ Extended FAQ – For Business Users, Installers & IT Teams

Q: How do I know if I’m vulnerable?
A: If you’re using HikCentral below v2.5.5 and exposing /bic/ssoService/v1/applyCT to the public internet via a fixed IP SIM or port forwarding, you’re vulnerable.

Q: What does a successful attack look like?
A: Often nothing obvious. You might notice:

High cellular usage.
NVR interface becoming sluggish.
Camera feeds looping or missing.
Unusual outbound traffic (e.g., to ldap:// or rmi:// domains).

Q: Can antivirus catch this?
A: No. This is a remote exploit using a trusted channel (HTTP API) and won’t trigger AV.

Q: Should I disable public IPs entirely?
A: Where possible, yes. Use private APNs or VPN tunnels. Only expose public IPs if absolutely necessary, and lock them down with firewalls.

Q: What routers are safe?
A: Industrial routers from Teltonika, Peplink, InHand, Sierra Wireless—all support VPNs, SIM management, and firmware upgrades. Avoid home routers.

Q: Can I still use port forwarding securely?
A: It’s a last resort. If you must:

Only forward from trusted IPs.
Change default ports.
Use complex credentials and MFA.

Q: I’m using another brand like Uniview or Dahua. Am I safe?
A: No brand is immune. Ensure firmware is up to date. Apply the same zero-trust principles.

Q: Is this just a CCTV issue?
A: No. Any IoT device using a fixed IP SIM, exposed via port forwarding, can be attacked. This includes digital signage, remote access terminals, ATMs, environmental sensors, and more.

✅ Final Recommendations

Patch all Hikvision devices immediately.
Remove port forwarding wherever possible.
Switch to VPN-accessible private APNs.
Segment networks using VLANs and firewalls.
Monitor for abnormal data usage or outbound LDAP traffic.
Use strong passwords and disable unused services.

🔚 Final Thoughts

The Hikvision ApplyCT exploit is not just another technical flaw—it’s a wake-up call for anyone deploying remote, connected security systems. If your CCTV system is accessible via the internet—especially over Fixed Public IP SIMs—you must assume it’s being scanned right now.

Cybersecurity is no longer optional. Even in M2M, even in CCTV. Secure every layer—from SIM to router to device—and you’ll sleep better knowing your footage is safe, your bills are predictable, and your clients are protected.

The Hikvision ApplyCT Exploit & Its Alarming Impact on Fixed IP CCTV Deployments