Hikvision has published a security advisory (HSRC-202601-01) disclosing two stack overflow vulnerabilities — CVE-2025-66176 and CVE-2025-66177 — affecting a broad range of its NVR, DVR, CVR, IPC, and Access Control products. Both vulnerabilities carry a CVSS v3.1 base score of 8.8, placing them firmly in the High severity band and triggering an urgent patching obligation for any site running affected Hikvision hardware.
What the Vulnerabilities Do
Both CVEs are stack overflow vulnerabilities located in Hikvision’s device Search and Discovery feature — the mechanism these devices use to advertise themselves and locate other devices on a local network (commonly associated with protocols such as SADP).
- CVE-2025-66176 affects partial Access Control Series products. Reported by Matt Wiseman of Cisco Talos.
- CVE-2025-66177 affects partial NVR, DVR, CVR, and IPC Series products. Reported by independent security researchers Angel Lozano Alcazar and Pedro Guillen Nuñez.
The attack vector in both cases is adjacent network (AV:A) — meaning an attacker must already be on the same LAN segment as the target device. No authentication is required (PR:N), no user interaction is needed (UI:N), and the attack complexity is rated Low (AC:L). A successful exploit could cause the device to malfunction, with the full CIA triad (Confidentiality, Integrity, Availability) rated High. In plain terms: an attacker with LAN access could crash or otherwise compromise an unpatched Hikvision camera, recorder, or access control panel.
The specific list of affected model numbers is published by Hikvision in a separate PDF linked from the advisory. Facilities and IT managers should cross-reference that list against their asset registers immediately.
Operational Implications for NSW Facilities
The adjacent-network attack vector is a critical detail. These vulnerabilities are not remotely exploitable from the open internet in the traditional sense — but that does not make them low-risk. Consider the typical building network topology:
- Hikvision IP cameras and NVRs are frequently placed on flat or poorly segmented networks alongside workstations, access control head-ends, and building management systems.
- Strata and commercial buildings often share CCTV infrastructure across multiple tenancies on a common network backbone.
- Guest Wi-Fi, contractor laptops, and IoT devices that share the same VLAN as surveillance hardware all represent potential attacker positions.
- Access control panels affected by CVE-2025-66176 are particularly sensitive — a malfunctioning controller can result in doors defaulting to fail-open or fail-secure states with direct physical security consequences.
For gaming venues, clubs, and strata complexes with integrated CCTV and access control, the combination of these two CVEs on the same network fabric is especially concerning. A single compromised endpoint on the surveillance VLAN is sufficient to attempt exploitation.
Required Action
Hikvision has released patched firmware. The remediation steps are straightforward but must be executed methodically across potentially large device inventories:
- Identify affected models: Download and review Hikvision’s impact-scope PDF (linked from the advisory) and compare against your site asset register.
- Download patched firmware: Obtain updated firmware from the Hikvision official firmware portal. Verify you are downloading the correct firmware for each specific model and hardware revision.
- Schedule and apply updates: Coordinate with site operations to minimise disruption — recorder reboots will cause brief recording gaps, and access control panel updates must be staged to avoid door-lock failures.
- Review network segmentation: Use this event as a trigger to audit whether CCTV and access control VLANs are properly isolated from general-purpose network segments. This reduces the attack surface for adjacent-network vulnerabilities as a class.
- Document the remediation: Record firmware versions pre- and post-update for each device. This is essential for compliance purposes and for demonstrating due diligence to insurers or regulators if an incident occurs.
Mallen Services Perspective
CVEs at CVSS 8.8 affecting device discovery protocols are a reminder that surveillance and access control hardware carries the same patching obligations as any other networked IT asset. The fact that these vulnerabilities require LAN adjacency does not diminish the urgency — it shifts the focus to network hygiene. Properly segmented security networks, managed switches with port isolation, and regular firmware maintenance are the controls that turn a critical vulnerability into a manageable one.
Mallen Services recommends that all clients with Hikvision NVR, DVR, CVR, IPC, or Access Control equipment in their installed base review the affected model list and contact us to arrange a firmware audit and update schedule if they do not have an active maintenance agreement in place. Do not wait for a scheduled maintenance window if your devices appear on the affected list — the CVSS score and the nature of the attack vector warrant treating this as a priority remediation task.
Original source: https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/