CVE-2025-34058
HIGH EXPLOITEDHikvision Streaming Media Management Server v2.3.5 - Info Disclosure
Title source: llmExploitation Summary
CVE-2025-34058 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
Hikvision Streaming Media Management Server v2.3.5 uses default credentials that allow remote attackers to authenticate and access restricted functionality. After authenticating with these credentials, an attacker can exploit an arbitrary file read vulnerability in the /systemLog/downFile.php endpoint via directory traversal in the fileName parameter. This exploit chain can enable unauthorized access to sensitive system files.
References (4)
Core 4
Core References
Various Sources third-party-advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2021-14544
Various Sources exploit
https://blog.csdn.net/qq_40684306/article/details/115278837
Various Sources product
https://www.hikvision.com/en/support/cybersecurity/security-advisory/
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/hikvision-streaming-server-default-creds-file-read
Scores
CVSS v4
8.7
EPSS
0.0085
EPSS Percentile
53.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2025-07-01
CWE
CWE-22
CWE-521
Status
published
Products (1)
Hangzhou Hikvision System Technology/Streaming Media Management Server
2.3.5
Published
Jul 01, 2025
Tracked Since
Feb 18, 2026