CVE-2025-59403

CVE-2025-59403 is a critical vulnerability in the Flock Safety Android Collins application (package name com.flocksafety.android.collins), specifically version 6.35.31 for Android. This application manages camera feeds on Falcon, Sparrow, and Bravo devices but exposes multiple administrative API endpoints on TCP port 8080 without any authentication. Affected endpoints include, but are not limited to, /reboot, /logs, /crashpack, and /adb/enable. The issue stems from CWE-749 (Exposed Dangerous Method or Function) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker with network access to the exposed port can exploit these endpoints remotely. Potential impacts include denial of service through the /reboot endpoint, which forces a device restart; information disclosure via /logs and /crashpack, exposing sensitive logs and crash data; and remote code execution via /adb/enable, which starts Android Debug Bridge (ADB) over TCP without requiring debugging confirmation. This grants an attacker on the same LAN or WLAN shell access to the device.

Advisories detailing the vulnerability are published by GainSec at https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/ and https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf. Additional context on affected Flock Safety products, such as license plate readers, is available at https://www.flocksafety.com/products and https://www.flocksafety.com/products/license-plate-readers. No specific patch or mitigation details are provided in the CVE description.