CVE-2025-11942
Published: 19 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-11942 is a missing authentication vulnerability (CWE-287, CWE-306) in the Pairing component of the 70mai Omni X200 dashcam firmware, affecting versions up to 20251010. The flaw resides in an unknown function within the pairing mechanism, allowing manipulation that bypasses required authentication checks. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges or user interaction required. Successful exploitation enables bypass of device pairing protections, potentially granting unauthorized access to the dashcam's functions and data. This could allow attackers to pair with the device illicitly, compromising video feeds, settings, or other features.
Advisories from VulDB and a GitHub repository detail the issue, with the latter providing a proof-of-concept for bypassing pairing on the 70mai Omni X200. No patches or vendor responses are available, as the manufacturer was contacted early but did not reply. The exploit has been publicly disclosed and may be actively used.
In notable context, the proof-of-concept exploit is available on GitHub, increasing the risk of real-world abuse against exposed 70mai X200 devices.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability involves missing authentication in the device's pairing function, HTTP API (port 80), and RTSP service (port 554), enabling remote attackers to bypass physical authorization (button press) and gain unauthorized access to public-facing services without authentication.