CVE-2025-2347
Published: 16 March 2025
Description
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-2347 is a vulnerability in IROAD Dash Cam FX2 firmware versions up to 20250308, classified as problematic and tied to CWE-1393. It affects the Device Registration component, where manipulation of the Password argument using the input "qwertyuiop" triggers use of a default password, bypassing proper authentication. The issue was published on 2025-03-16 and carries a CVSS v3.1 base score of 6.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
An attacker on the adjacent local network can exploit this vulnerability without privileges or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized device registration or pairing bypass.
Advisories and details are available in referenced sources, including a GitHub repository documenting the device pairing/registration bypass (https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-7-bypass-of-device-pairingregistration-for-iroad-fx2) and VulDB entries (https://vuldb.com/?ctiid.299813, https://vuldb.com/?id.299813). The exploit has been publicly disclosed and may be used.
The vulnerability's public disclosure increases the risk of exploitation in environments with exposed IROAD Dash Cam FX2 devices on local networks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables bypass of device pairing/registration by using the default WiFi password 'qwertyuiop' to connect to the dashcam's network and access the HTTP server without authentication, facilitating initial access via default accounts.