The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert for a remote code execution (RCE) vulnerability in Industrial Video & Control’s Longwatch software.
Released on December 2, 2025, as ICSA-25-336-01, the flaw affects video surveillance and monitoring systems used in critical infrastructure.
Attackers can exploit it remotely without authentication, gaining SYSTEM-level privileges. This poses severe risks to sectors such as energy and water/wastewater systems worldwide.
Discovered by “Concerned OT Engineer” and reported to CISA, the vulnerability stems from improper controls over code generation.
An exposed endpoint processes unauthenticated HTTP GET requests, injecting and executing arbitrary code.
No code signing or execution safeguards exist, enabling complete system compromise. CISA rates it as exploitable with low complexity and urges immediate action.
Technical Details
Longwatch versions 6.309 through 6.334 are vulnerable. The issue, classified as CWE-94 (Improper Control of Code Generation), carries CVE-2025-13658.
Exploitation delivers code with elevated privileges, potentially disrupting operations or enabling lateral movement in industrial networks.
CISA calculated high CVSS scores reflecting the threat:
| CVSS Version | Base Score | Vector String |
|---|---|---|
| v3.1 | 9.8 (Critical) | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| v4.0 | 9.3 (Critical) | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
The v3.1 score highlights network access (AV: N), low complexity (AC: L), no privileges needed (PR: N), and high impact on confidentiality, integrity, and availability.
The v4.0 score refines this with no attacker threat (AT: N) and explicit high vulnerability impacts (VC:H/VI:H/VA: H). Full vectors are available via FIRST CVSS calculators.
Longwatch monitors industrial processes via video, often in air-gapped or segmented environments. However, internet-facing deployments amplify risks.
No public exploits are known yet, but the unauthenticated nature invites rapid weaponization.
Mitigations and Recommendations
Industrial Video & Control advises upgrading to version 6.335 or later. See their security bulletin for details.
CISA echoes this and adds defenses: isolate control systems from the internet, deploy firewalls, and use VPNs for remote access ensuring that updates are applied.
Perform impact analysis before changes. Follow CISA’s ICS recommended practices and defense-in-depth strategies.
Report incidents to CISA and avoid phishing via CISA tips.
 has issued a critical alert for a remote code execution (RCE) vulnerability){kind=link}