CVE-2025-2343
Published: 16 March 2025
Description
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-2343 is a vulnerability classified as critical in IROAD Dash Cam X5 and Dash Cam X6 devices running firmware up to version 20250308. It affects an unknown functionality within the Device Pairing component, where hard-coded credentials (CWE-259 and CWE-798) enable manipulation. The issue carries a CVSS v3.1 base score of 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity despite the score falling in the High range.
An attacker with access to the local network (adjacent access) can exploit this vulnerability, which requires high attack complexity and appears difficult to execute. No privileges or user interaction are needed. Successful exploitation grants high impacts on confidentiality, integrity, and availability, allowing bypassing of device pairing authentication through the hard-coded credentials.
Advisories from VulDB and a GitHub disclosure detail the finding, including specifics on bypassing device pairing for IROAD X-series devices. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are mentioned in the available references.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Hard-coded credentials (CWE-259/798) in the device pairing component directly enable bypassing authentication on the local network, mapping to use of default accounts for initial access.