Thoropass Security Research: HikVision Local Privilege Escalation - CVE-2025-39246

At Thoropass, our penetration testers are encouraged to dedicate part of their working hours to independent security research. This initiative is part of our ongoing effort to strengthen our methodologies, promote continuous learning, and cultivate a strong research-driven culture within the team.

In May 2025, a Thoropass pentester identified and responsibly disclosed a previously undocumented  vulnerability affecting a Hikvision product. This disclosure led to the publication of CVE-2025-39246, a local privilege escalation vulnerability on Windows that leverages a well-known technique that we will detail in this post, and highlights the level of technical rigor and real world impact that Thoropass penetration testers consistently deliver through hands on security research

In addition to this discovery, our team also identified a Cross-Site Scripting (XSS) vulnerability in an electronic component management software, which resulted in CVE-2025-5007. Lastly, a mobile registration bypass was uncovered in the bug bounty program of a major Brazilian bank. Due to confidentiality policies, we will not disclose technical details of this finding.

Our researchers explore a broad range of targets, from small open-source projects to enterprise-grade applications that permit security testing. Bug bounty programs are also part of this effort, allowing us to responsibly disclose real-world vulnerabilities while contributing to a safer digital ecosystem.

Discovery Process

During this phase of research, our pentesters focused on publicly accessible web applications offered by major vendors that allow for local installation and testing.

One of the applications selected was FocSign V2.2.0, a multifunctional platform designed for digital signage. It integrates program design, deployment, and terminal management features. Installation is performed via a Windows binary, which deploys a self-hosted web application.

Initial testing targeted the web application itself. While the platform appeared well-built and did not expose any exploitable vulnerabilities at the web layer, further inspection revealed an issue in the underlying service. Specifically, the Windows service was found to be vulnerable to an Unquoted Service Path, a known misconfiguration that can lead to local privilege escalation on Windows systems.

The Vulnerability

The Unquoted Service Path vulnerability stems from  a misconfiguration in Windows services that lead to  local privilege escalation. When a service’s executable path contains spaces and is not enclosed in double quotes, Windows may incorrectly parse the path at runtime, potentially attempting to execute a different binary than intended.

This misinterpretation happens because Windows tries to resolve the path incrementally, checking each possible executable along the way until it finds a valid one. For example, if a service is configured to run the following path:

C:\Program Files\Thoropass App\app.exe

and the path is not wrapped in quotes, Windows will attempt to execute the following paths in order:

C:\Program.exe

C:\Program Files.exe

C:\Program Files\Thoropass.exe

C:\Program Files\Thoropass App.exe

C:\Program Files\Thoropass App\app.exe  ← expected binary

If an attacker has write permissions to any of the earlier directories and places a malicious executable with a matching name (e.g., Program.exe), Windows may execute the attacker's binary instead of the intended one.

This type of misconfiguration can be exploited to escalate privileges under which  the vulnerable service runs, often Local System, but not always. For this reason, it’s important to ensure all service executable paths containing spaces are properly enclosed in quotes during installation and configuration.

Vulnerable vs. Exploitable

While a service with an unquoted path is inherently vulnerable, that doesn’t always mean it’s exploitable in practice.

To successfully exploit this misconfiguration, an attacker must have write access to one of the directories that Windows searches when resolving the service executable path. In the example we previously shared, exploitation is unlikely, standard users typically lack write permissions to critical directories like C:\ or C:\Program Files.

This becomes much more plausible in custom software installations. In these scenarios, applications are often deployed to non standard locations with overly permissive directory permissions, unintentionally allowing attackers to plant malicious executables in paths that Windows checks first.

Additionally, for the exploit to succeed, the vulnerable service must be restarted. This can occur in several ways:

• The attacker has permissions to manually restart the service;
• The system reboots;
• The service restarts automatically due to a crash, update, or a scheduled task.

These requirements introduce friction, but they don’t eliminate the risk. In real-world environments, especially where software is deployed carelessly or with default installers, such conditions are far more common than they should be.

CVE-2025-39246: Local Privilege Escalation in HikCentral FocSign

During the analysis of HikCentral FocSign, our team identified that one of the Windows services launched by the application was configured with an unquoted executable path containing spaces, creating a clear opportunity for exploitation.

Once confirmed, Thoropass submitted a detailed advisory to Hikvision, including a working proof-of-concept, impact assessment, and remediation recommendations. The vendor responded promptly and released a fix, and the issue was officially assigned CVE-2025-39246.

This vulnerability highlights the importance of secure installation practices, particularly for software commonly deployed in enterprise or high-security environments. While exploitation depends on specific environmental factors, misconfigured permissions and custom deployments can still expose organizations to significant risk.

Mitigation

Mitigation for this type of vulnerability is straightforward: ensure that all service executable paths containing spaces are properly enclosed in double quotes in the Windows service configuration. This prevents the system from misinterpreting the path during execution.

In addition, it is highly recommended to audit the file system permissions of every directory included in the service path. Any folder that allows write access to low privileged users can enable privilege escalation if exploited. Ensuring proper access controls prevents attackers from injecting malicious executables into those directories.

Vendor Response & Patch

Hikvision responded promptly and addressed the issue as part of a broader security update. A patch was released, and an official advisory was published alongside other related CVEs. Thoropass was acknowledged in the advisory, and we appreciate Hikvision’s collaboration and commitment to improving their product security.

• 📄 Partner Letter – CVE-2025-39245, 39246, 39247 (PDF)
• 🌐 Official Hikvision Security Advisory

Disclosure Timeline

• 2025-05-17 – Vulnerability discovered during internal security research and responsibly reported to the vendor
• 2025-05-19 – Vendor acknowledged receipt of the report
• 2025-08-28 – Public disclosure of the issue as CVE-2025-39246
• 2026-01-267 – Technical blog post published by Thoropass

Other Reported Vulnerabilities

CVE-2025-5007 – Stored XSS via SVG in Part-DB

This vulnerability is a classic stored Cross-Site Scripting (XSS) executed through malicious SVG files. The affected software, Part-DB-server, is a web-based inventory management system for electronic components. According to enumeration platforms such as Shodan and Fofa.io, the application has over 30,000 exposed instances online.

The impact of this vulnerability is significant: a specially crafted SVG file can trigger JavaScript execution in an administrator’s session, potentially allowing actions such as password changes and, ultimately, full account takeover.

https://nvd.nist.gov/vuln/detail/CVE-2025-5007

Mobile Number Confirmation Bypass in a Major Brazilian Bank

This vulnerability, discovered through a bug bounty platform, affects the mobile registration flow of a major Brazilian bank. By bypassing the phone number confirmation step, it was possible to register accounts using any number, including those belonging to legitimate users.

While this issue does not directly result in unauthorized access, it could be abused to prevent legitimate users from registering their own phone numbers, negatively impacting availability and user trust. Due to confidentiality policies, specific technical details about this finding are not disclosed.

‍