A high-severity stack overflow vulnerability has been identified in the device search and discovery feature of multiple Hikvision Access Control products. A remote attacker could exploit this flaw by sending a specially crafted network packet, potentially allowing them to execute arbitrary code and gain complete control over the affected physical access control systems. This could lead to unauthorized physical access, system tampering, and further network intrusion.

The vulnerability is a stack-based buffer overflow within the service that handles device search and discovery requests. An unauthenticated attacker on the same local network can send a specially crafted network packet containing an excessive amount of data to the discovery service. This data overwrites the program's stack, allowing the attacker to overwrite critical control data, such as the function's return address, and redirect execution flow to malicious code (shellcode) supplied by the attacker, resulting in arbitrary code execution with the privileges of the service, which are likely high.

This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant risk to the organization's physical and network security. Successful exploitation could grant an attacker complete administrative control over building access systems, enabling them to unlock secure doors, disable alarms, and manipulate access logs to conceal their activities. This could lead to theft of physical assets, corporate espionage, or physical harm to personnel. Furthermore, a compromised access control device can serve as a pivot point for launching further attacks against the internal corporate network.

Immediate Action: Immediately apply the security updates released by Hikvision to all affected access control devices as the primary mitigation. Before and after patching, closely monitor network traffic for anomalous packets directed at the device discovery service and review device logs for any signs of crashes, unexpected reboots, or unauthorized access attempts.

Proactive Monitoring: Implement network monitoring to detect and alert on malformed packets targeting the Hikvision discovery protocol ports (typically UDP). Monitor system logs on the devices for any process crashes or unusual behavior. Network Intrusion Detection/Prevention Systems (IDS/IPS) should be updated with signatures for CVE-2025-66176 as they become available.

Compensating Controls: If immediate patching is not feasible, implement network segmentation to isolate the access control devices from general user networks. Use firewall rules or Access Control Lists (ACLs) to strictly limit communication to the device discovery service, allowing access only from trusted security and administration subnets or specific IP addresses.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the critical function of the affected devices, this vulnerability must be treated as a top priority. We strongly recommend that all affected Hikvision Access Control products are patched immediately. Although this CVE is not currently listed on the CISA KEV catalog, the potential for an attacker to gain control over physical security infrastructure represents a severe and direct risk to the organization. If patching is delayed, compensating controls such as network segmentation and strict access control lists must be implemented without delay to reduce the attack surface.