CVE-2025-66177 is a stack overflow vulnerability identified in the Search and Discovery feature of Hikvision DS-96xxxNI-Hx series devices, which include network video recorders (NVRs), digital video recorders (DVRs), cloud video recorders (CVRs), and internet protocol cameras (IPCs). The vulnerability arises due to improper handling of specially crafted packets sent over the local area network, leading to a stack overflow condition. This flaw allows an unauthenticated attacker with access to the same LAN to trigger a malfunction in the device, potentially causing denial of service or enabling further exploitation that compromises device confidentiality and integrity. The vulnerability affects firmware builds dated before 250807. The CVSS v3.1 base score is 8.8, reflecting high severity with attack vector as adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the vulnerability's characteristics make it a critical concern for environments relying on these devices for security monitoring and recording. The stack overflow could be leveraged to crash devices or potentially execute arbitrary code, depending on further exploitation techniques. The lack of authentication requirement and the local network attack vector emphasize the importance of internal network security controls.

For European organizations, this vulnerability poses a significant risk to physical security infrastructure relying on Hikvision DS-96xxxNI-Hx devices. Exploitation can lead to denial of service, disrupting video surveillance and recording capabilities critical for security monitoring, incident investigation, and compliance with regulatory requirements such as GDPR. The compromise of device integrity and confidentiality could allow attackers to manipulate or exfiltrate sensitive surveillance data. Organizations in sectors such as government, transportation, critical infrastructure, and large enterprises that deploy these devices extensively could face operational disruptions and increased exposure to insider threats or lateral movement by attackers. The requirement for local network access means that attackers would need to breach internal network defenses or gain physical proximity, which is plausible in many enterprise environments. The high severity score underscores the potential for widespread impact if exploited in environments with inadequate network segmentation or monitoring.

European organizations should immediately identify all Hikvision DS-96xxxNI-Hx devices with firmware built before 250807 and apply vendor-provided patches or firmware updates as soon as they become available. In the absence of patches, network segmentation should be enforced to isolate these devices from general user networks, restricting access to trusted management stations only. Implement strict access controls and monitoring on the local network to detect anomalous packet traffic targeting the Search and Discovery feature. Disable or restrict the Search and Discovery functionality if it is not essential for operations. Employ network intrusion detection systems (NIDS) with signatures or heuristics capable of identifying malformed packets targeting Hikvision devices. Regularly audit device firmware versions and configurations to ensure compliance with security policies. Additionally, physical security controls should be enhanced to prevent unauthorized local network access. Finally, maintain up-to-date asset inventories and incident response plans tailored to address potential disruptions in surveillance infrastructure.