CVE-2025-66176 in DS-K1T331
Summary
by MITRE • 01/13/2026
There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/13/2026
The vulnerability identified as CVE-2025-66176 represents a critical stack overflow condition within the search and discovery functionality of Hikvision access control devices. This flaw resides in the network protocol handling mechanisms that manage device discovery requests within local area networks. The vulnerability manifests when the device processes malformed or specially crafted packets designed to overflow the stack memory allocation during the search and discovery process. Such stack overflow conditions typically occur when input validation fails to properly constrain buffer sizes, allowing attackers to overwrite adjacent memory locations and potentially execute arbitrary code or cause system instability.
The technical exploitation of this vulnerability requires an attacker to be positioned within the same local area network as the targeted device, leveraging the device's legitimate network discovery protocols. The attack vector specifically targets the device's response handling to search requests, where insufficient bounds checking allows malicious data packets to trigger the stack overflow condition. This vulnerability directly maps to CWE-121 Stack-based Buffer Overflow, which is classified as a high-risk vulnerability due to its potential for remote code execution and system compromise. The device's network stack implementation fails to properly validate the length and content of incoming discovery packets, creating an exploitable condition that can be leveraged by attackers with network access.
From an operational impact perspective, successful exploitation of CVE-2025-66176 could result in complete device compromise, leading to unauthorized access to access control systems and potential security breaches. The malfunction caused by this vulnerability may manifest as device crashes, service disruptions, or persistent system instability that could go unnoticed for extended periods. In access control environments, this vulnerability poses significant risks to physical security infrastructure, as compromised devices may fail to properly authenticate legitimate users while potentially allowing unauthorized access. The attack surface is particularly concerning given that Hikvision access control products are widely deployed in enterprise, government, and critical infrastructure environments where the compromise of security systems could have far-reaching consequences.
Security mitigations for this vulnerability should include immediate deployment of vendor-provided patches or firmware updates that address the buffer overflow condition in the device discovery feature. Network segmentation strategies should be implemented to limit the attack surface by isolating access control devices from general network traffic and restricting discovery protocol access to authorized management systems only. Additional protective measures include implementing network access control lists that restrict which devices can communicate with access control systems and monitoring network traffic for unusual discovery request patterns that may indicate exploitation attempts. Organizations should also consider disabling unnecessary discovery protocols when not actively required for device management operations. According to ATT&CK framework, this vulnerability relates to T1071.004 Application Layer Protocol: DNS and T1210 Exploitation of Remote Services, highlighting the need for both network-level protection and application-specific security hardening measures to prevent exploitation of this stack overflow condition.