CVE-2025-66173 is a privilege escalation vulnerability identified in the Hikvision DS-7104HGHI-F1 digital video recorder (DVR) product line. The root cause is an improper authentication mechanism on the device's serial port interface, which is intended for maintenance or debugging purposes. Due to this flaw, an attacker who gains physical access to the device can connect directly to the serial port and bypass authentication controls, thereby obtaining an unrestricted shell environment. This shell access effectively grants the attacker full control over the device, allowing them to execute arbitrary commands, manipulate stored video footage, alter device configurations, or disrupt device operations. The vulnerability affects firmware versions up to and including V4.30.122_201107. The CVSS 3.1 base score is 6.2, categorized as medium severity, with the vector indicating physical access (AV:P), low attack complexity (AC:L), high privileges required (PR:H), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although exploitation requires physical access, the impact on security monitoring and forensic capabilities is significant, especially in environments relying on these DVRs for surveillance. There are no known public exploits or active exploitation campaigns reported as of the publication date. The vulnerability was reserved on 2025-11-24 and published on 2025-12-19. No official patches or mitigation links have been provided yet, indicating the need for immediate risk management and physical security controls.

For European organizations, the impact of CVE-2025-66173 can be substantial, particularly for those relying on Hikvision DS-7104HGHI-F1 DVRs for critical surveillance and security monitoring. Successful exploitation compromises the confidentiality of recorded footage, potentially exposing sensitive or private information. Integrity is also at risk as attackers can alter or delete video evidence, undermining trust in security systems and complicating incident investigations. Availability may be disrupted if attackers disable or destabilize the device. This can lead to gaps in surveillance coverage, increasing the risk of undetected physical intrusions or other security incidents. The requirement for physical access limits the threat to environments where attackers can reach the device directly, such as poorly secured server rooms, remote sites, or public-facing installations. However, insider threats or attackers gaining physical access through social engineering or theft pose realistic risks. The absence of known exploits reduces immediate urgency but does not eliminate the threat, especially given the high impact potential. European organizations in sectors like critical infrastructure, transportation, government facilities, and large enterprises using these DVRs should assess exposure and implement compensating controls promptly.

1. Restrict physical access to Hikvision DS-7104HGHI-F1 devices by securing server rooms, cabinets, and DVR enclosures with locks and access control systems. 2. Monitor and log physical access to areas housing these devices to detect unauthorized entry attempts. 3. Until official patches are released, consider disabling or physically disconnecting the serial port interface if feasible, to prevent exploitation via this vector. 4. Implement strict inventory and asset management to identify all affected devices and prioritize their protection. 5. Deploy network segmentation and monitoring to detect anomalous device behavior that may indicate compromise. 6. Train staff on the risks of physical access attacks and enforce policies to prevent unauthorized personnel from accessing sensitive equipment. 7. Regularly check for firmware updates from Hikvision and apply patches promptly once available. 8. Consider replacing affected devices with models not vulnerable to this issue if physical security cannot be guaranteed. 9. Conduct periodic security audits and penetration tests focusing on physical security controls around surveillance infrastructure.