CVE-2025-2350
Published: 16 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-2350 is a critical vulnerability in IROAD Dash Cam FX2 firmware versions up to 20250308, affecting an unknown functionality in the /action/upload_file endpoint. The issue enables unrestricted file upload, classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 6.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating medium severity by score but labeled critical in advisories.
Attackers with access to the local network can exploit this vulnerability without authentication or user interaction. By manipulating the upload_file endpoint, they can upload arbitrary files, potentially leading to unauthorized access, code execution, or deployment of webshells, as demonstrated in public proof-of-concept disclosures.
Advisories reference GitHub findings on unauthenticated uploads (Finding 10) and unrestricted webshell uploads (Finding 11) in the geo-chen/IROAD repository, along with VulDB entries (ctiid.299816 and id.299816). No specific patches or mitigations are detailed in the provided information.
The exploit has been publicly disclosed and may be usable by attackers, with publication on 2025-03-16.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unrestricted unauthenticated file upload via /action/upload_file enables ingress tool transfer (T1105), exploitation of the web application (T1190), and deployment of web shells for execution/persistence (T1505.003).