A critical vulnerability has been identified in the Digital zoom studio (DZS) Video Gallery software, assigned CVE-2025-47552. This flaw, rated with a CVSS score of 9.8, allows an unauthenticated remote attacker to take complete control of an affected server by sending specially crafted data. Successful exploitation could lead to total system compromise, data theft, and significant service disruption.

The software is vulnerable to Deserialization of Untrusted Data. An attacker can send a malicious, serialized data payload to the application. When the application processes this data, it improperly deserializes it into an object in memory, which triggers the execution of embedded malicious code. This "Object Injection" allows the attacker to achieve Remote Code Execution (RCE) on the server with the permissions of the web application, leading to a full system compromise.

This vulnerability presents a critical risk to the organization, reflected by its CVSS score of 9.8. A successful exploit could allow an attacker to gain complete control over the affected server, leading to severe consequences such as the theft of sensitive business or customer data, deployment of ransomware, disruption of critical services hosted on the server, and using the compromised system as a pivot point to launch further attacks against the internal network. The potential for reputational damage and financial loss is extremely high.

Immediate Action: Immediately update the DZS Video Gallery software on all affected systems to the latest version provided by the vendor (a version higher than 12.37). After patching, it is crucial to monitor systems for any signs of exploitation that may have occurred prior to the update and review access logs for suspicious activity.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Look for unusual patterns in web server access logs, such as unexpected or malformed POST requests. Monitor for unexpected processes being spawned by the web server application, unusual outbound network connections, and application error logs that may indicate failed deserialization attempts.

Compensating Controls: If immediate patching is not feasible, implement compensating controls. Place the affected application behind a Web Application Firewall (WAF) with rules specifically designed to inspect and block malicious serialized objects. Restrict network access to the application, allowing connections only from trusted IP addresses. Ensure the application is running with the principle of least privilege to limit the potential impact of a compromise.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability and its potential for complete system compromise, immediate action is required. We strongly recommend that all instances of DZS Video Gallery version 12.37 and earlier are patched to the latest version without delay. Although this vulnerability is not currently listed on the CISA KEV list, its high score indicates it should be treated with the highest priority. Systems should be considered compromised if any evidence of exploitation is found during log review.