CVE-2025-66174 identifies a security vulnerability in the Hikvision DS-7104HGHI-F1 digital video recorder (DVR) devices, specifically related to improper authentication on the serial port interface. The vulnerability stems from a flawed implementation of authentication controls, which fails to adequately verify the identity of users connecting via the serial port. This weakness allows an attacker who has physical access to the device to connect directly to the serial port and execute a series of commands without any authentication or user interaction. The affected firmware versions include all versions up to and including V4.30.122_201107. The vulnerability is rated with a CVSS 3.1 base score of 6.5, reflecting a medium severity level. The vector metrics indicate that the attack can be performed remotely over the network (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality (C:L) and availability (A:L), with no integrity impact (I:N). Although no known exploits have been reported in the wild, the vulnerability poses a risk in environments where physical access to the device is possible. Attackers could potentially leverage this flaw to gain unauthorized access to the device’s command interface, potentially disrupting video recording or exfiltrating sensitive information. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim protective measures.

For European organizations, the impact of CVE-2025-66174 could be significant in sectors relying heavily on Hikvision DVRs for surveillance and security monitoring, such as transportation, government facilities, critical infrastructure, and private enterprises. Unauthorized command execution could lead to partial denial of service by disrupting recording functions or altering device configurations. Confidentiality risks arise from potential access to stored video footage or device settings, which could expose sensitive information. Although exploitation requires physical access, insider threats or attackers gaining physical proximity during maintenance or in less secure locations could exploit this vulnerability. The medium severity rating reflects that while the attack vector is constrained, the consequences could undermine security monitoring capabilities and data privacy compliance obligations under regulations like GDPR. Organizations may face operational disruptions, reputational damage, and regulatory scrutiny if surveillance data is compromised or unavailable during critical incidents.

To mitigate CVE-2025-66174, European organizations should implement strict physical security controls to prevent unauthorized access to Hikvision DVR devices, including locked cabinets, surveillance of device locations, and access logging. Network segmentation should isolate DVR devices from general user networks to reduce exposure. Organizations should monitor device logs and network traffic for unusual command executions or access attempts. Until a firmware patch is released, consider disabling or restricting serial port access if feasible. Engage with Hikvision support channels to obtain updates on patch availability and apply firmware updates promptly once released. Additionally, conduct regular security audits of physical and network controls surrounding surveillance infrastructure. Training personnel on the risks of physical access vulnerabilities and enforcing strict access policies will further reduce exploitation likelihood. For critical environments, consider deploying alternative or additional surveillance solutions with robust authentication mechanisms.