CVE-2025-66177
📋 TL;DR
A stack overflow vulnerability in Hikvision's device Search and Discovery feature allows attackers on the same local network to crash devices by sending specially crafted packets. This affects Hikvision NVR, DVR, CVR, and IPC models with unpatched firmware. The vulnerability requires LAN access but can cause denial of service.
💻 Affected Systems
- Hikvision NVR
- Hikvision DVR
- Hikvision CVR
- Hikvision IPC
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device crash requiring physical reboot, potentially disrupting surveillance operations and causing data loss during recording.
Likely Case
Device becomes unresponsive or reboots, interrupting surveillance feeds and requiring manual intervention.
If Mitigated
Minimal impact with proper network segmentation and patching, though temporary service interruption possible during attack.
🎯 Exploit Status
Exploitation requires crafting specific packets but no authentication needed. LAN access is the primary barrier.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific firmware versions
Vendor Advisory: https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/
Restart Required: Yes
Instructions:
1. Visit Hikvision security advisory. 2. Identify affected models. 3. Download latest firmware. 4. Upload via web interface. 5. Reboot device.
🔧 Temporary Workarounds
Disable Search and Discovery
allTurn off the vulnerable feature if not required for operations
Network Segmentation
allIsolate surveillance devices on separate VLAN with strict access controls
🧯 If You Can't Patch
- Segment surveillance network from general corporate LAN using firewalls
- Implement network monitoring for abnormal UDP/TCP traffic to device discovery ports
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against vendor advisory; if Search and Discovery is enabled and firmware is outdated, assume vulnerable.Check Version:
Check via web interface: System > Maintenance > Version InformationVerify Fix Applied:
Verify firmware version matches patched version in advisory and test Search and Discovery functionality.📡 Detection & Monitoring
Log Indicators:
- Device reboot logs
- Service crash entries
- Abnormal packet size logs in network logs
Network Indicators:
- Unusual UDP/TCP traffic to device discovery ports (typically 37020)
- Large packets to surveillance devices
SIEM Query:
source="network_firewall" dest_port=37020 packet_size>1000