Key Findings

• A critical security flaw (CVE-2025-13658, CVSS 9.8) has been discovered in the Longwatch video surveillance and monitoring system developed by Industrial Video & Control (IV&C).

• The vulnerability allows unauthenticated remote code execution with SYSTEM-level privileges, enabling complete takeover of the affected OT surveillance systems.

• The flaw resides in the way the Longwatch devices handle incoming web traffic, allowing arbitrary code execution through an exposed endpoint due to the lack of code signing and execution controls.

• Successful exploitation of this vulnerability could grant an attacker full control over the surveillance server, posing a severe risk to organizations relying on Longwatch for critical infrastructure monitoring.

• The vulnerability affects Longwatch versions 6.309 to 6.334, and a patch has been released by the vendor (version 6.335 or later).

Background

Longwatch is a video surveillance and monitoring system widely used in industrial operational technology (OT) environments, such as critical infrastructure, manufacturing, and energy sectors. The system is developed by Industrial Video & Control (IV&C), a leading provider of OT video solutions.

Technical Details

The vulnerability, tracked as CVE-2025-13658, is categorized as "Improper Control of Generation of Code" and allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint. This critical gap exists due to the absence of code signing and execution controls in the Longwatch device's web traffic handling.

Potential Impact

Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain remote code execution with elevated, SYSTEM-level privileges on the Longwatch surveillance server. This would grant the attacker complete control over the monitored OT environment, enabling them to disrupt critical operations, establish persistent access, and pivot to other connected systems.

Mitigation and Recommendations

• Users running Longwatch versions 6.309 to 6.334 should upgrade to version 6.335 or later to address this vulnerability.

• Isolate Longwatch devices from public internet access and implement strict network segmentation to limit the attack surface.

• Monitor for any suspicious activity or unauthorized access attempts to Longwatch systems.

• Regularly review and implement security updates from the vendor to stay ahead of emerging threats.

Conclusion

The discovery of this critical vulnerability in the Longwatch video surveillance system highlights the importance of maintaining robust security measures in OT environments. The ease of exploitation and the potential for complete system takeover underscore the need for prompt action by organizations relying on Longwatch to protect their critical infrastructure.

Sources

• https://securityonline.info/cisa-warns-critical-longwatch-rce-flaw-cve-2025-13658-cvss-9-8-allows-unauthenticated-system-takeover-of-ot-surveillance/

• https://securityonline.info/cisa-warns-critical-iskra-ihub-flaw-cve-2025-13510-allows-unauthenticated-smart-metering-takeover/

• https://securityonline.info/critical-elementor-plugin-flaw-cve-2025-8489-cvss-9-8-under-active-exploitation-allows-unauthenticated-admin-takeover/