Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.
AnalysisAI
Unauthenticated attackers can bypass access controls in HikCentral Professional to obtain administrative permissions, enabling unauthorized management and configuration of security infrastructure. The vulnerability requires network access and non-trivial complexity but grants high-impact confidentiality and scope expansion across affected deployments. No public exploit code has been identified, though Hikvision has released a security advisory confirming the issue.
Technical ContextAI
HikCentral Professional is a centralized management platform for Hikvision security systems, handling user authentication, authorization, and administrative access control. The vulnerability exists in the access control mechanism (CWE category implicit from impact description), allowing authentication bypass or privilege escalation. The CVSS vector indicates network-accessible endpoints with moderate attack complexity (AC:H), suggesting the exploitation requires specific conditions such as particular configuration states, timing windows, or intermediate knowledge of the system architecture, though authentication is not required (PR:N). CPE indicates all versions of HikCentral Professional are affected; specific vulnerable version ranges have not been disclosed in the advisory reference.
RemediationAI
Apply the vendor-released security patch from Hikvision for HikCentral Professional. Consult the Hikvision security advisory (https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-hikcentral-professional/) for exact patched version numbers and deployment instructions specific to your installation. Interim compensating controls pending patch deployment include: restrict network access to HikCentral Professional administrative interfaces to trusted IP ranges or VPN-only connectivity, reducing exposure to unauthenticated attackers (trade-off: reduced usability for remote management); disable or revoke unnecessary administrative user accounts and enforce the principle of least privilege for management roles (trade-off: operational complexity in multi-team environments); monitor authentication logs for anomalous administrative access patterns and unusual privilege escalations; implement network segmentation isolating HikCentral Professional from general corporate networks (trade-off: potential impact on integrated security workflows). These controls mitigate but do not eliminate risk; patching remains the primary remediation.
More in Hikcentral Professional
View allDue to insufficient server-side validation, a successful exploit of this vulnerability could allow an attacker to gain a
There is a SQL injection vulnerability in some HikCentral Professional versions. Rated high severity (CVSS 7.2), this vu
Due to insufficient server-side validation, an attacker with login privileges could access certain resources that the at
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28905
GHSA-r9q2-82fq-2493