Critical flaw found in IDIS Cloud Manager CCTV viewer

Claroty researchers have disclosed a remote code execution vulnerability in IDIS Cloud Manager Viewer, a Windows client used to access IDIS video surveillance systems.

The issue affects the IDIS Cloud Manager (ICM) viewer component, which organisations use for live monitoring, video search and backups through IDIS's cloud service. IDIS supplies IP cameras, network video recorders and video management software, and sells cloud management under the ICM name.

Claroty said the flaw allows a one-click attack if a user visits a malicious web link. The attacker can run code on the PC that hosts the ICM Viewer, Claroty said. From there, an attacker can move through internal networks and target other endpoints, including other cameras connected to the same environment.

Claroty said IDIS CCTV systems are used widely in Australia across government facilities, local councils, critical infrastructure and retail environments.

Attack chain

In its write-up, Claroty described a client-side pathway where a web page can communicate with a local service that ships with the ICM Viewer installation. The firm said the ICM Viewer uses a Windows service that listens on a local port. Claroty said a crafted message can trigger the viewer to launch with injected command-line arguments, which can lead to code execution.

The attack described begins with social engineering. Claroty said the exploit relies on tricking a user into clicking an untrusted link, which then causes code to execute outside the browser environment.

Claroty contrasted the behaviour with typical web attacks where an attacker remains constrained to code that runs inside a browser sandbox. Claroty said this issue breaks out of that model and reaches the host machine itself.

The firm said the consequences can extend beyond the initial PC. It said attackers can use access to the host system as a pivot point for lateral movement across internal networks.

Risk scenarios

Claroty said surveillance systems can become an entry point for cyber attackers. It also cited potential secondary harms involving misuse of video data. They also raised the overlap between physical security tooling and cyber risk.

Video surveillance systems designed to monitor and protect organisations can instead become an entry point for cyber criminals, undermining both their cyber and physical security, the researchers added.

Patching guidance

IDIS requires users who keep the ICM Viewer installed to upgrade to version 1.7.1, according to Claroty's disclosure. Claroty also advised organisations to remove the ICM Viewer if they do not upgrade.

Claroty is urging companies that currently use the ICM viewer to upgrade their devices to v1.7.1 or otherwise uninstall it immediately.

The vulnerability has a CVE identifier, CVE-2025-12556. Claroty said the issue received a CVSS v4 score of 8.7. The firm said IDIS confirmed the vulnerability after disclosure.

The write-up points to several contributing factors in the attack flow, including insufficient validation around the local service communication and how the viewer processes launch arguments.

For operators of IP camera estates, the disclosure highlights the risk introduced by desktop management components that sit alongside cloud management portals. In the described scenario, the compromise route begins with a web link but ends with control of a Windows host inside the target network.

Claroty encouraged organisations to check whether they run the ICM Viewer and to apply the vendor's update guidance.