Search criteria
2 vulnerabilities found for Longwatch by Industrial Video & Control
CVE-2025-13658 (GCVE-0-2025-13658)
Vulnerability from cvelistv5 – Published: 2025-12-02 19:35 – Updated: 2025-12-02 21:41
VLAI?
Summary
A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Industrial Video & Control | Longwatch |
Affected:
6.309 , ≤ 6.334
(custom)
|
Credits
Concerned OT Engineer
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13658",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T21:41:10.934773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T21:41:24.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Longwatch",
"vendor": "Industrial Video \u0026 Control",
"versions": [
{
"lessThanOrEqual": "6.334",
"status": "affected",
"version": "6.309",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Concerned OT Engineer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T19:35:59.252Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIndustrial Video \u0026amp; Control recommends users running versions 6.309 to 6.334 should upgrade to version 6.335 or later to ensure protection against this vulnerability.\u003cbr\u003e\u003cbr\u003e\n\n\u003cp\u003eFor more details, view Industrial Video \u0026amp; Control\u0027s \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ivcco.com/wp-content/uploads/Longwatch-Security-Bulletin-11-18-2025.pdf\"\u003eadvisory\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e\n\n\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Industrial Video \u0026 Control recommends users running versions 6.309 to 6.334 should upgrade to version 6.335 or later to ensure protection against this vulnerability.\n\n\n\nFor more details, view Industrial Video \u0026 Control\u0027s advisory https://ivcco.com/wp-content/uploads/Longwatch-Security-Bulletin-11-18-2025.pdf ."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Industrial Video \u0026 Control Longwatch has a Code Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-13658",
"datePublished": "2025-12-02T19:35:59.252Z",
"dateReserved": "2025-11-25T16:03:10.989Z",
"dateUpdated": "2025-12-02T21:41:24.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13658 (GCVE-0-2025-13658)
Vulnerability from nvd – Published: 2025-12-02 19:35 – Updated: 2025-12-02 21:41
VLAI?
Summary
A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Industrial Video & Control | Longwatch |
Affected:
6.309 , ≤ 6.334
(custom)
|
Credits
Concerned OT Engineer
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13658",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T21:41:10.934773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T21:41:24.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Longwatch",
"vendor": "Industrial Video \u0026 Control",
"versions": [
{
"lessThanOrEqual": "6.334",
"status": "affected",
"version": "6.309",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Concerned OT Engineer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T19:35:59.252Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIndustrial Video \u0026amp; Control recommends users running versions 6.309 to 6.334 should upgrade to version 6.335 or later to ensure protection against this vulnerability.\u003cbr\u003e\u003cbr\u003e\n\n\u003cp\u003eFor more details, view Industrial Video \u0026amp; Control\u0027s \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ivcco.com/wp-content/uploads/Longwatch-Security-Bulletin-11-18-2025.pdf\"\u003eadvisory\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e\n\n\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Industrial Video \u0026 Control recommends users running versions 6.309 to 6.334 should upgrade to version 6.335 or later to ensure protection against this vulnerability.\n\n\n\nFor more details, view Industrial Video \u0026 Control\u0027s advisory https://ivcco.com/wp-content/uploads/Longwatch-Security-Bulletin-11-18-2025.pdf ."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Industrial Video \u0026 Control Longwatch has a Code Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-13658",
"datePublished": "2025-12-02T19:35:59.252Z",
"dateReserved": "2025-11-25T16:03:10.989Z",
"dateUpdated": "2025-12-02T21:41:24.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}