A high-severity stack overflow vulnerability has been discovered in the device Search and Discovery feature of multiple Hikvision security products, including NVRs, DVRs, and cameras. A remote, unauthenticated attacker could exploit this flaw by sending a malicious network packet, potentially allowing them to execute arbitrary code and gain full control of the affected device. This could lead to a complete compromise of an organization's physical security monitoring capabilities.

This is a stack-based buffer overflow vulnerability within the service that handles device search and discovery requests. An unauthenticated attacker on the same local network can send a specially crafted packet to this service. The packet contains more data than the buffer allocated on the stack can handle, causing the excess data to overwrite adjacent memory, including the function's return address. By controlling this overwritten data, the attacker can redirect the program's execution flow to a payload of their choosing, resulting in remote code execution with high privileges on the device.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could grant an attacker complete control over an organization's video surveillance infrastructure. The potential consequences include theft of sensitive video footage, corporate espionage, disabling security monitoring to facilitate a physical breach, or using the compromised devices as a pivot point to attack other internal network resources. Furthermore, compromised devices could be co-opted into a botnet for use in broader cyberattacks, leading to significant reputational damage and potential liability.

Immediate Action: Immediately apply the security updates released by the vendor to all affected NVR, DVR, CVR, and IPC models. After patching, it is crucial to monitor systems for any signs of exploitation attempts and review access and network logs for unusual activity that may have occurred prior to the patch deployment.

Proactive Monitoring: Implement network monitoring to detect and alert on anomalous traffic patterns directed at the device discovery service port on affected devices. Monitor device logs for unexpected reboots, service crashes, or unauthorized configuration changes. If available, enable Intrusion Detection/Prevention System (IDS/IPS) signatures specific to CVE-2025-66177.

Compensating Controls: If immediate patching is not feasible, segment the vulnerable devices onto a dedicated, isolated network VLAN. Implement strict firewall rules and Access Control Lists (ACLs) to ensure that only trusted administrative systems can communicate with the devices. If the device Search and Discovery feature is not essential for operations, disable it through the device's configuration interface as a temporary mitigation.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the critical role these devices play in physical security, this vulnerability poses a significant risk to the organization. The recommended course of action is to apply the vendor-supplied patches to all affected systems with the highest priority. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion. Organizations must act proactively and treat this vulnerability with the urgency of one that is being actively exploited in the wild.