CVE-2025-2345
Published: 16 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-2345 is a critical improper authorization vulnerability (classified under CWE-266 and CWE-285) found in IROAD Dash Cam X5 and Dash Cam X6 firmware versions up to 20250308. The issue affects an unspecified component within these dash cam devices, enabling manipulation that bypasses proper authorization controls. Published on 2025-03-16, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as very critical.
The vulnerability is remotely exploitable by unauthenticated attackers requiring low attack complexity and no user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, specifically allowing management of settings to obtain sensitive data and sabotage the car battery, as detailed in the associated GitHub findings.
Advisories from VulDB and the referenced GitHub repository indicate no vendor response despite early disclosure contact; thus, no official patches or mitigations are available. Security practitioners should isolate affected devices and monitor for unauthorized access until firmware updates are provided.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The remote improper authorization bypass in the network-accessible dash cam firmware directly enables exploitation of a public-facing application for initial access (T1190) and facilitates collection of sensitive data from the local system via unauthorized settings management (T1005).