CVE-2025-59407

CVE-2025-59407 is a critical vulnerability in the Flock Safety DetectionProcessing application (package com.flocksafety.android.objects) version 6.35.33 for Android, deployed on Falcon and Sparrow License Plate Readers as well as Bravo Edge AI Compute Devices. The flaw stems from the application bundling a Java Keystore file named flock_rye.bks, which contains a private key, alongside its hardcoded password "flockhibiki17" embedded directly in the code. Classified under CWE-321 (Use of Hard-coded Cryptographic Key), it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating severe risk due to the exposure of sensitive cryptographic material.

The vulnerability can be exploited by any unauthenticated network attacker requiring low complexity and no user interaction. Access to the keystore via the hardcoded password allows extraction of the private key, enabling high-impact confidentiality, integrity, and availability compromises, such as unauthorized decryption, key misuse for authentication bypass, or broader system manipulation depending on the key's role in device operations.

Advisories and research details are available in GainSec's publications, including the blog post at https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/ and the PDF report at https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf. Additional context on affected products appears on Flock Safety's sites at https://www.flocksafety.com/products and https://www.flocksafety.com/products/license-plate-readers.