A critical vulnerability in IDIS IP cameras, specifically within the IDIS Cloud Manager (ICM) Viewer application, has been disclosed, enabling attackers to gain complete control of a victim’s computer with a single click. This severe security flaw, tracked as CVE-2025-12556, poses a significant threat to organizations worldwide that utilize IDIS surveillance systems in enterprise, manufacturing, and military environments.
The vulnerability garnered significant attention after researchers at Claroty identified the weakness during their comprehensive investigation into modern cloud-enabled surveillance ecosystems. Their analysis revealed a dangerous attack pathway stemming from the ICM Viewer’s architecture. A high CVSS score of 8.7 underscores the critical nature of this flaw, which could potentially transform routine surveillance operations into major network security incidents.
Critical IDIS IP Cameras Vulnerability Allows Full Computer Compromise
IDIS, a prominent South Korea-based video surveillance manufacturer, offers an integrated cloud management solution that seamlessly connects its IP cameras, network video recorders, and video management software through its ICM platform. The newly uncovered vulnerability allows malicious actors to execute arbitrary code on a host machine by simply luring victims into clicking a specially crafted link. This bypasses typical browser sandboxing, directly impacting the underlying Windows operating system.
The exploit targets a Windows service named CWGService.exe, which operates on local port 16140. This service is designed to receive commands for launching the ICM Viewer with specific parameters. However, it fails to adequately validate the origin of these commands or sanitize the provided input arguments. Consequently, attackers can exploit this by injecting malicious instructions through a WebSocket connection, often initiated via JavaScript embedded in a compromised webpage.
Once a user falls victim to this one-click exploit, attackers can achieve full access to the compromised system. This level of access allows for the theft of sensitive data, the installation of further malware, or lateral movement across the network to compromise other connected devices. For organizations heavily reliant on IDIS surveillance systems, this vulnerability presents a particularly alarming scenario, as a single compromised workstation could become the gateway to broader network breaches, impacting critical business systems and the surveillance infrastructure itself.
Attack Mechanism and Technical Exploitation Details
The technical exploitation of this critical IDIS IP cameras vulnerability hinges on a design oversight in how the ICM Viewer processes command-line arguments received from the CWGService component. The ICM Viewer is built upon the Chromium Embedded Framework (CEF), a robust platform that accepts various command-line flags to modify its operational behavior. Researchers discovered that they could inject the `–utility-cmd-prefix` debugging flag into the execution chain.
By leveraging this flag, attackers can effectively wrap the viewer’s utility processes with arbitrary commands of their choosing. The attack is initiated when a malicious webpage, containing JavaScript code, connects to the local WebSocket service. This allows the attacker to send encrypted messages that include injected arguments. When an unsuspecting user visits this compromised page, these arguments are processed, leading to the execution of the malicious code.
The exploit requires minimal user interaction, necessitating only that the victim clicks a link. This low barrier to entry makes it a particularly effective tool for sophisticated spear-phishing campaigns. Claroty researchers successfully demonstrated the exploit by injecting commands that launched Notepad, a basic Windows application, thereby proving the viability of executing more malicious payloads. The ease of exploitation, combined with the critical severity of the flaw, makes this an attractive target for threat actors looking to gain network access through Internet of Things (IoT) devices.
In response to the discovery, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory urging all users of the IDIS ICM Viewer to immediately upgrade to version 1.7.1. For organizations that do not actively utilize the software, CISA recommends uninstalling it entirely. Swift action to patch affected systems is crucial to mitigate the risk posed by this vulnerability.