All CISA Advisories, EN

Industrial Video & Control Longwatch

2025-12-02 19:12

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Industrial Video & Control
Equipment: Longwatch
Vulnerability: IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain remote code execution with elevated privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Industrial Video & Control Longwatch, a video surveillance and monitoring system, are affected:

Longwatch: Versions 6.309 to 6.334

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.

CVE-2025-13658 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-13658. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
COUNTRIES/AREA

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article:

Industrial Video & Control Longwatch

Share this:
Facebook
X
LinkedIn
Like this:
Like Loading...

Related

Tags: All CISA Advisories EN

Post navigation

← CISA Releases Five Industrial Control Systems Advisories

Iskra iHUB and iHUB Lite →

Search for:
Pages

Advertising

Contact

Legal and Contact information

Opt-out preferences

Privacy Policy

Social Media

Apps

Telegram Channel

Recent Posts

Attackers Actively Exploiting Critical Vulnerability in King Addons for Elementor Plugin December 2, 2025

Iskra iHUB and iHUB Lite December 2, 2025

Industrial Video & Control Longwatch December 2, 2025

CISA Releases Five Industrial Control Systems Advisories December 2, 2025

Mirion Medical EC2 Software NMIS BioDose December 2, 2025

PostHog Details “Most Impactful” Security Breach as Shai-Hulud 2.0 npm Worm Spreads Through JavaScript SDKs December 2, 2025

Hackers Use Look-Alike Domain Trick to Imitate Microsoft and Capture User Credentials December 2, 2025

IT Security News Hourly Summary 2025-12-02 18h : 9 posts December 2, 2025

NK Hackers Push 200 Malicious npm Packages with OtterCookie Malware December 2, 2025

4.3M Users Exposed in ShadyPanda’s Long-Running Browser Hack December 2, 2025

Zafran Security Raises $60 Million in Series C Funding December 2, 2025

Fortinet FortiWeb flaws found in unsupported versions of web application firewall December 2, 2025

Air fryer app caught asking for voice data (re-air) (Lock and Code S06E24) December 2, 2025

A data breach at analytics giant Mixpanel leaves a lot of open questions December 2, 2025

Fortinet at AWS re:Invent 2025: Expanding What’s Possible in Cloud Security December 2, 2025

Europol nukes Cryptomixer laundering hub, seizing €25M in Bitcoin December 2, 2025

North Korean APT Collaboration Signals Escalating Cyber Espionage and Financial Cybercrime December 2, 2025

MuddyWater strikes Israel with advanced MuddyViper malware December 2, 2025

Malicious npm Package Uses Hidden Prompt and Script to Evade AI Security Tools December 2, 2025

GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools December 2, 2025

Copyright © 2025 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com.

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options

Manage services

Manage {vendor_count} vendors

Read more about these purposes

View preferences

{title}

{title}

{title}