CVE-2025-66176

High

Published: 13 January 2026

Published

13 January 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 1.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66176 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Hikvision Ds-K1T331 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and remediation of flaws such as this stack overflow vulnerability through patching unpatched Hikvision devices.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of incoming network packets to the device Search and Discovery feature, preventing specially crafted packets from triggering the stack overflow.

SC-7 Boundary Protection partial match

prevent

SC-7 enforces network boundaries and segmentation to restrict adjacent LAN access, limiting unauthenticated attackers' ability to send crafted packets to the vulnerable feature.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Stack overflow in network-accessible Search/Discovery service allows unauthenticated adjacent-network RCE/DoS, directly enabling remote service exploitation (T1190/T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets…

to an unpatched device.

Deeper analysisAI

CVE-2025-66176 is a stack overflow vulnerability (CWE-121) affecting the device Search and Discovery feature in Hikvision Access Control Products. Published on 2026-01-13, it carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An unauthenticated attacker on the same local area network (LAN) can exploit this vulnerability by sending specially crafted packets to an unpatched device, causing it to malfunction. The adjacent network access vector, low attack complexity, and lack of required privileges or user interaction make it accessible to local adversaries, with high impacts across confidentiality, integrity, and availability.

For mitigation, refer to advisories from Hikvision at https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/ and Talos Intelligence at https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2281, which detail patching and remediation for affected products.