Why Roaming SIMs Aren’t Immune to Cyber Threats

The recent discovery of a critical vulnerability in Hikvision’s HikCentral platform—known as the ApplyCT exploit (CVE‑2025‑34067)—has major implications not just for traditional fixed IP setups, but also for roaming IoT SIM deployments. As more CCTV systems use roaming multi-network SIM cards with public IP addresses for remote access, they become attractive targets for remote code execution attacks.

This blog post outlines what the Hikvision ApplyCT exploit is, how it affects systems deployed with roaming SIM cards, and what measures can be taken to secure any mobile or remote CCTV setup. For a detailed deep-dive into fixed IP SIM scenarios, we also recommend reading the full version of our analysis here: The Hikvision ApplyCT Exploit – EUICC.co.uk.

The Hikvision ApplyCT Exploit: A Quick Overview

On 30 June 2025, a security researcher disclosed a critical vulnerability in the HikCentral Professional video surveillance management software. This flaw allows unauthenticated remote attackers to execute arbitrary code on the server simply by sending a crafted JSON payload to a specific endpoint: /bic/ssoService/v1/applyCT.

The underlying issue is linked to insecure use of the Fastjson library in Java, which—when configured incorrectly—enables attackers to force the server to deserialize malicious payloads. This can result in the attacker gaining full control of the system, potentially tampering with CCTV feeds, installing malware, or pivoting into broader network environments.

Public scanning and exploitation of this vulnerability began just days after its disclosure, with confirmed incidents across a variety of sectors including retail, local government, and construction sites.

How This Affects Roaming SIM Card Deployments

Many mobile CCTV systems—including those used on construction sites, in vehicles, or at pop-up retail locations—rely on roaming M2M SIM cards for internet access. These SIMs are often deployed in 4G/5G routers and can be configured with public or fixed IP addresses for remote monitoring.

While roaming SIMs provide connectivity across multiple networks, they do not inherently protect devices from being exposed to the internet. In fact, public IP roaming SIMs often have:

• Open inbound access unless secured via firewall or VPN.
• Port forwarding configured to allow direct camera or NVR access.
• No segmentation between devices, allowing lateral movement if one device is compromised.

If the HikCentral software or any Hikvision device is deployed behind a router using such a SIM, and port forwarding is in place to allow remote configuration or viewing, the ApplyCT vulnerability becomes an immediate threat.

Real-World Consequences

1. Compromised Video Surveillance
Attackers can disable or manipulate video feeds, leaving sites unmonitored during critical periods. In many roaming SIM deployments, the connection is relied upon as the sole method for monitoring—meaning no fallback exists if video is interrupted.

2. Exploding Data Usage and Costs
Exfiltration of video footage, botnet activity, or brute-force attack payloads can push roaming SIMs far beyond their expected data caps. Since roaming SIM data is usually more expensive than domestic-only SIMs, the financial impact can be significant.

3. Legal and Reputational Impact
Stolen footage, data leaks, and downtime can violate client contracts or lead to GDPR-related fines, particularly in industries like healthcare or retail.

4. Customer Frustration and Emergency Callouts
Installers and service providers may be blamed for insecure configurations, and clients may demand emergency visits to resecure compromised networks.

Key Differences with Roaming SIM-Based Systems

Unlike fixed IP SIMs where the configuration is usually static, roaming SIMs can introduce additional variability:

• Public IPs may change unless a fixed IP service is in place.
• Multi-network switching can make whitelisting IPs more complex.
• Some roaming SIMs do not support inbound VPN connections unless specifically provisioned.

This means that securing the system must be done at multiple levels: SIM, router, and device.

How to Secure Roaming SIM CCTV Setups

Use Private APNs with VPN Access
Where possible, deploy roaming SIMs that operate on a private APN and only allow access via an encrypted VPN tunnel. This prevents direct internet exposure.

Avoid Port Forwarding to Cameras or NVRs
If public access is required, place the CCTV devices behind a router with a VPN client or central cloud access proxy—never expose device ports to the internet.

Lock Down the Router

• Disable UPNP, remote GUI, and Telnet.
• Use strong, complex passwords.
• Only allow admin access from secure management IPs or through VPN.

Patch All Hikvision Software and Devices
Ensure HikCentral is updated to version 2.5.5 or later, which mitigates the ApplyCT exploit. Apply firmware updates to all IP cameras and NVRs.

Implement Alerts for Unusual Data Usage
Use router-side or SIM provider tools to track data use and set thresholds. Unusual traffic should be investigated immediately.

Segment the Network
Where feasible, isolate surveillance devices from other systems, even on mobile deployments.

FAQs

Q: Are roaming SIMs safer than fixed IP SIMs?
Not inherently. If a public IP is used and no firewall or VPN is in place, roaming SIMs can be equally vulnerable to exploitation.

Q: Can the ApplyCT exploit affect small systems?
Yes. Even a single camera system can be used to launch further attacks or generate expensive traffic.

Q: How can I detect if my system has been attacked?
Watch for camera feeds going offline, strange GUI behavior, high outbound traffic, or unexpected admin logins.

Q: Does using multi-network connectivity protect me?
Not from this vulnerability. It only improves signal availability. Security still depends on software and network configuration.

Q: Can I get fixed IP over a roaming SIM?
Yes, some providers (like RoamingSIM.co.uk) offer fixed IP over roaming networks with optional firewall and VPN features.

Q: What if I already deployed systems in the field?
Conduct an urgent review. Disable any exposed ports, update firmware, and migrate to VPN-based access where possible.

Q: Does Hikvision offer guidance?
Yes, they have issued an advisory. But you are responsible for network-level exposure—especially with third-party SIMs and routers.

Q: Is this limited to Hikvision?
No. Any manufacturer using outdated deserialization libraries, or with exposed ports, could be vulnerable.

Q: What’s the biggest risk?
A compromised system that streams video to attackers continuously—leading to large-scale data overage and potential breach of trust with clients.

Conclusion

The Hikvision ApplyCT exploit is a stark reminder that convenient access can mean dangerous exposure. For roaming SIM deployments where CCTV and IoT systems are often deployed in the field without direct IT oversight, this risk is amplified.

To protect your deployments:

• Use VPN-only access.
• Avoid exposing ports.
• Patch systems and devices.
• Monitor your SIM traffic.
• Understand the capabilities of your router and SIM provider.

To learn more about secure SIM-based deployments and available roaming IoT SIM solutions, visit RoamingSIM.co.uk.

For a full technical analysis focused on fixed IP SIM security and the original Hikvision exploit, read the companion article at EUICC.co.uk.

One vulnerability. One misconfiguration. And an entire network—compromised.