---
title: "Critical Code Injection Flaw in Longwatch: Remote Exploitation Risk"
short_title: "Critical flaw in Longwatch enables remote code execution"
description: "A severe code injection vulnerability (CVE-2025-13658) in Industrial Video & Control's Longwatch could allow remote attackers to execute code with SYSTEM privileges. Patch now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [cve-2025-13658, code injection, remote code execution, ics security, longwatch]
score: 0.93
cve_ids: [CVE-2025-13658]
---
TL;DR
A critical code injection vulnerability (CVE-2025-13658) in Industrial Video & Control’s Longwatch surveillance system allows unauthenticated attackers to execute remote code with SYSTEM-level privileges. Affecting versions 6.309 to 6.334, this flaw poses a severe risk to energy and water infrastructure worldwide. Users must upgrade to version 6.335 or later immediately to mitigate the threat.
---
Main Content
Critical Vulnerability Exposes Industrial Systems to Remote Attacks
A newly disclosed vulnerability in Longwatch, a widely used video surveillance and monitoring system by Industrial Video & Control (IVC), could allow cybercriminals to seize control of affected devices with elevated privileges. Tracked as CVE-2025-13658, this flaw has been assigned a CVSS v4 score of 9.3, categorizing it as a critical threat to industrial control systems (ICS).
The vulnerability stems from an improper control of code generation, enabling unauthenticated attackers to execute arbitrary code via malicious HTTP GET requests. With no authentication or code signing requirements, exploitation is remotely accessible and requires low attack complexity, making it a prime target for threat actors.
---
Key Points
- Severity: Critical (CVSS v4: 9.3, CVSS v3.1: 9.8)
- Affected Products: Longwatch versions 6.309 to 6.334
- Vulnerability Type: Code Injection (CWE-94)
- Impact: Remote code execution (RCE) with SYSTEM-level privileges
- Exploitation: Unauthenticated attackers can trigger the flaw via HTTP GET requests
- Sectors at Risk: Energy and Water/Wastewater Systems worldwide
- Mitigation: Upgrade to Longwatch version 6.335 or later
---
Technical Details
#### Affected Systems
The vulnerability impacts Longwatch, a video surveillance and monitoring solution deployed across critical infrastructure sectors, including:
- Energy
- Water and Wastewater Systems
Affected versions include 6.309 to 6.334. Systems running these versions are vulnerable to remote exploitation if exposed to the internet or untrusted networks.
#### Vulnerability Overview
The flaw (CVE-2025-13658) is classified as an Improper Control of Generation of Code (CWE-94), commonly referred to as code injection. The vulnerability arises due to:
- Lack of code signing: No verification of executable code integrity.
- Exposed endpoint: Unauthenticated HTTP GET requests can trigger arbitrary code execution.
- Privilege escalation: Successful exploitation grants SYSTEM-level privileges, enabling full control over the affected device.
#### CVSS Metrics
- CVSS v3.1: 9.8 (Critical)
Vector: `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
- CVSS v4: 9.3 (Critical)
Vector: `AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
---
Impact Assessment
#### Potential Consequences
If exploited, this vulnerability could lead to:
- Full system compromise: Attackers gain SYSTEM-level access, allowing them to execute commands, exfiltrate data, or deploy malware.
- Lateral movement: Compromised devices could serve as entry points for deeper infiltration into industrial networks.
- Operational disruption: Attackers could disable surveillance systems, disrupt monitoring, or manipulate video feeds, posing physical security risks to critical infrastructure.
- Regulatory repercussions: Organizations failing to patch may face compliance violations, fines, or legal liabilities.
#### Targeted Sectors
The vulnerability primarily threatens:
- Energy sector: Power plants, oil and gas facilities, and renewable energy installations.
- Water and wastewater systems: Treatment plants, distribution networks, and pumping stations.
Given the global deployment of Longwatch, organizations worldwide must act swiftly to mitigate risks.
---
Mitigation Steps
#### Immediate Actions
1. Upgrade to the latest version:
- Industrial Video & Control recommends upgrading to Longwatch version 6.335 or later to patch the vulnerability.
- Download the update from the [official advisory](https://ivcco.com/wp-content/uploads/Longwatch-Security-Bulletin-11-18-2025.pdf).
2. Network segmentation:
- Isolate Longwatch systems from business networks and the internet.
- Deploy firewalls to restrict access to control system networks.
3. Secure remote access:
- Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
- Recognize that VPNs are only as secure as the devices connected to them.
4. Monitor for malicious activity:
- Implement intrusion detection systems (IDS) to identify suspicious traffic.
- Regularly audit logs for unauthorized access attempts.
#### Long-Term Strategies
- Defense-in-depth: Adopt a layered security approach to protect industrial control systems. Refer to CISA’s [recommended practices](https://www.cisa.gov/resources-tools/resources/ics-recommended-practices) for guidance.
- Employee training: Educate staff on social engineering attacks, such as phishing, to prevent initial access vectors.
- Incident response planning: Develop and test an incident response plan to ensure rapid containment and recovery in the event of an attack.
---
Affected Systems
| Vendor | Product | Affected Versions | Patched Version |
|--------------------------|-------------------|-----------------------|---------------------|
| Industrial Video & Control | Longwatch | 6.309 to 6.334 | 6.335 or later |
---
Conclusion
The discovery of CVE-2025-13658 underscores the growing threats facing industrial control systems and critical infrastructure. With a CVSS v4 score of 9.3, this vulnerability represents a severe risk that demands immediate action. Organizations using Longwatch must upgrade to version 6.335 or later and implement network segmentation, secure remote access, and monitoring to reduce exposure.
Failure to address this flaw could result in catastrophic consequences, including operational disruption, data breaches, and compromised physical security. As cyber threats to critical infrastructure evolve, proactive measures and vigilance are essential to safeguarding industrial systems.
---
References
[^1]: CISA. "[ICS Advisory (ICSA-25-336-01) - Industrial Video & Control Longwatch](https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-01)". Retrieved 2025-01-24.
[^2]: MITRE. "[CWE-94: Improper Control of Generation of Code ('Code Injection')](https://cwe.mitre.org/data/definitions/94.html)". Retrieved 2025-01-24.
[^3]: Industrial Video & Control. "[Longwatch Security Bulletin](https://ivcco.com/wp-content/uploads/Longwatch-Security-Bulletin-11-18-2025.pdf)". Retrieved 2025-01-24.
[^4]: CVE. "[CVE-2025-13658 Detail](https://www.cve.org/CVERecord?id=CVE-2025-13658)". Retrieved 2025-01-24.