CVE-2025-25729
Published: 28 February 2025
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2025-25729 is an information disclosure vulnerability classified under CWE-200, affecting Bosscomm IF740 Firmware versions 11001.7078 and v11001.0000, as well as System versions 6.25 and 6.00. Published on 2025-02-28, it enables attackers to obtain hardcoded cleartext credentials exposed during the device's update or boot process. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its confidentiality impact.
Any unauthenticated attacker with network access can exploit this vulnerability remotely, as it requires low complexity, no privileges, and no user interaction. Exploitation allows retrieval of sensitive hardcoded credentials in cleartext, potentially granting further access to the affected OBD2 tablet device or related systems.
Mitigation guidance is available in the GainSec advisory at https://gainsec.com/2025/02/27/cve-2025-25727cve-2025-25728cve-2025-25729-multiple-vulnerabilities-found-in-bosscomm-obd2-tablet/, which details this and related vulnerabilities in the Bosscomm OBD2 tablet. Security practitioners should consult this reference for patching or workaround recommendations specific to the affected firmware and system versions.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated info disclosure in network-accessible firmware directly enables T1190 (exploiting public-facing application) and T1552.001 (obtaining hardcoded credentials in files) during update/boot exposure.