Critical RCE Flaw in Industrial Video & Control Longwatch Threatens Global OT Networks
Executive Summary
In December 2025, a critical remote code execution vulnerability (CVE-2025-13658) was discovered in Industrial Video & Control’s Longwatch systems (versions 6.309 to 6.334). An unauthenticated attacker could exploit a lack of access controls and code signing via an exposed HTTP endpoint, gaining SYSTEM-level privileges across vulnerable energy and water infrastructure deployments worldwide. This exploitation method requires minimal technical expertise and impacts operational technology (OT) integrity in sectors fundamental to public safety.
This vulnerability exemplifies persistent gaps in OT device security and comes amid heightened global concerns around the security of essential infrastructure. With regulatory scrutiny and sophistication of attacker tactics increasing, organizations must urgently address privilege escalation routes and remote code execution exposures within their ICS/SCADA environments.
Why This Matters Now
The Longwatch code injection flaw demonstrates how essential OT systems remain targets for high-impact cyber threats. Unpatched vulnerabilities in ICS environments are actively sought by both cybercriminals and nation-state actors, making rapid remediation and network segmentation urgent priorities to prevent cascading real-world consequences.
Attack Path Analysis
An unauthenticated attacker remotely exploited an HTTP endpoint on vulnerable Longwatch devices to execute arbitrary code (Initial Compromise), instantly obtaining SYSTEM-level privileges (Privilege Escalation). With elevated access, the attacker could have moved laterally within the internal network or adjacent control subsystems (Lateral Movement) and established command and control channels for remote instructions (Command & Control). The attacker may then attempt to exfiltrate sensitive video feeds or operational data (Exfiltration) and ultimately disrupt, degrade, or manipulate surveillance and control functions, impacting industrial operations (Impact).
Kill Chain Progression
Initial Compromise
Description
The attacker exploited an unauthenticated, exposed HTTP GET endpoint on Longwatch devices to achieve remote code execution.
Related CVEs
CVE-2025-13658
CVSS 9.8A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.
Affected Products:
Industrial Video & Control Longwatch – 6.309 to 6.334
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Exploitation for Privilege Escalation
Valid Accounts
Exploitation for Defense Evasion
Network Sniffing
Process Injection
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components and Custom Software
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 10.2
CISA ZTMM 2.0 – Network Segmentation and Access Control
Control ID: 1.2.2
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Critical infrastructure vulnerability in video surveillance systems threatens energy facilities with remote code execution, requiring immediate network segmentation and egress security controls.
Utilities
Water and wastewater systems face elevated risk from unauthenticated attacks on monitoring equipment, demanding enhanced threat detection and encrypted traffic protection measures.
Industrial Automation
Manufacturing and process control environments using Longwatch surveillance systems vulnerable to SYSTEM-level privilege escalation attacks requiring zero trust segmentation implementation.
Government Administration
Public sector facilities relying on Industrial Video & Control systems face compliance violations and operational disruption from unpatched code injection vulnerabilities.
Sources
- Industrial Video & Control Longwatchhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-336-01Verified
- NVD - CVE-2025-13658https://nvd.nist.gov/vuln/detail/CVE-2025-13658Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF controls such as Zero Trust Segmentation, East-West Traffic Security, and Egress Security could have contained the attack by limiting unauthorized access, restricting lateral movement, and monitoring for anomalous outbound activity. Real-time threat detection and centralized visibility would further aid in rapid identification and response to suspicious behavior.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Unauthorized inbound connections are blocked or flagged in real time.
Control: Zero Trust Segmentation
Mitigation: Least privilege policies restrict privilege escalation pathways.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts are blocked and inspected between internal network segments.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous outbound connection attempts are detected and alerted.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data transfers violating policy are blocked or logged.
Centralized, real-time visibility enables rapid detection and remediation of system impact.
Impact at a Glance
Affected Business Functions
- Video Surveillance
- Industrial Monitoring
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive surveillance footage and industrial control data.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to strictly separate ICS devices, management, and business network segments.
- • Deploy centralized Cloud Native Security Fabric for real-time inspection and enforcement of access and traffic policies.
- • Implement comprehensive East-West Traffic Security to detect and block unauthorized lateral movement attempts.
- • Strengthen and regularly validate outbound Egress Security controls to limit unauthorized exfiltration and C2 communications.
- • Enhance Threat Detection & Response by baselining normal network activity and alerting on suspicious patterns in near real time.
