CISA issues alert on Longwatch code injection

Industrial Video & Control's Longwatch video surveillance system contains an improper control of code generation (code injection) vulnerability that can enable remote execution of arbitrary code with elevated privileges.

The issue is classified as IMPROPER CONTROL OF GENERATION OF CODE ('CODE INJECTION') CWE-94 and has been assigned CVE-2025-13658. Affected software is Longwatch: Versions 6.309 to 6.334. The flaw permits unauthenticated Hypertext Transfer Protocol (HTTP) GET requests to an exposed endpoint to execute arbitrary code due to the absence of code signing and execution controls; exploitation results in SYSTEM-level privileges. A Common Vulnerability Scoring System (CVSS) v3.1 base score of 9.8 has been calculated; the CVSS vector string is (Antivirus Software (AV):N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain remote code execution with elevated privileges. Exploitation results in SYSTEM-level privileges.

Industrial Video & Control recommends that users running Longwatch versions 6.309 to 6.334 upgrade to version 6.335 or later. Industrial Video & Control has published an advisory with further details. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

CISA advises minimizing network exposure for control system devices so they are not accessible from the internet, placing control system networks and remote devices behind firewalls and isolating them from business networks, and using more secure remote access methods such as Virtual Private Networks (VPNs) when remote access is required while recognizing VPNs may have vulnerabilities and should be updated to the most current version available and that a Virtual Private Network (VPN) is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures, notes that organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents, and recommends standard social engineering precautions including not clicking web links or opening attachments in unsolicited email messages and consulting CISA guidance such as Recognizing and Avoiding Email Scams and Avoiding Social Engineering and Phishing Attacks as well as control systems security recommended practices available on the ICS webpage, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Cognizant extends partnership with Kohler

Cribl receives FedRAMP authorization for Cribl.Cloud Government

ISC2 earns ANAB accreditation for nine self-paced certification courses