CVE-2025-2343 (GCVE-0-2025-2343)

Vulnerability from cvelistv5 – Published: 2025-03-16 17:31 – Updated: 2025-03-17 14:17
VLAI?
Title
IROAD Dash Cam X5/Dash Cam X6 Device Pairing hard-coded credentials
Summary
A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
7.7 (High)
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
7.5 (High)
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (High)
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-798 - Hard-coded Credentials
  • CWE-259 - Use of Hard-coded Password
Assigner
References
Impacted products
Vendor Product Version
IROAD Dash Cam X5 Affected: 20250308
Create a notification for this product.
Credits
geochen (VulDB User)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-2343",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-17T14:17:39.884417Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-17T14:17:49.548Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Device Pairing"
          ],
          "product": "Dash Cam X5",
          "vendor": "IROAD",
          "versions": [
            {
              "status": "affected",
              "version": "20250308"
            }
          ]
        },
        {
          "modules": [
            "Device Pairing"
          ],
          "product": "Dash Cam X6",
          "vendor": "IROAD",
          "versions": [
            {
              "status": "affected",
              "version": "20250308"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "geochen (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "In IROAD Dash Cam X5 and Dash Cam X6 bis 20250308 wurde eine kritische Schwachstelle entdeckt. Hierbei betrifft es unbekannten Programmcode der Komponente Device Pairing. Durch Manipulation mit unbekannten Daten kann eine hard-coded credentials-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff im lokalen Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.8,
            "vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-259",
              "description": "Use of Hard-coded Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-16T17:31:04.395Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-299809 | IROAD Dash Cam X5/Dash Cam X6 Device Pairing hard-coded credentials",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.299809"
        },
        {
          "name": "VDB-299809 | CTI Indicators (IOB, IOC, TTP)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.299809"
        },
        {
          "name": "Submit #516881 | IROAD Dashcam X series Authentication Bypass by Primary Weakness",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.516881"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/geo-chen/IROAD#finding-3-bypassing-of-device-pairing-cwe-798-for-iroad-x-series"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-03-15T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-03-15T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-03-15T19:27:50.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "IROAD Dash Cam X5/Dash Cam X6 Device Pairing hard-coded credentials"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-2343",
    "datePublished": "2025-03-16T17:31:04.395Z",
    "dateReserved": "2025-03-15T18:22:22.068Z",
    "dateUpdated": "2025-03-17T14:17:49.548Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-2343\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2025-03-16T18:15:11.830\",\"lastModified\":\"2025-03-16T18:15:11.830\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.\"},{\"lang\":\"es\",\"value\":\"Se detect\u00f3 una vulnerabilidad cr\u00edtica en IROAD Dash Cam X5 y Dash Cam X6 hasta la versi\u00f3n 20250308. Esta vulnerabilidad afecta a una funcionalidad desconocida del componente \\\"Emparejamiento de dispositivos\\\". La manipulaci\u00f3n permite obtener credenciales codificadas. Para que este ataque tenga \u00e9xito, se requiere acceso a la red local. Es un ataque de complejidad bastante alta. Parece dif\u00edcil de explotar. Se contact\u00f3 al proveedor con antelaci\u00f3n para informarle sobre esta divulgaci\u00f3n, pero no respondi\u00f3.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:H/Au:N/C:C/I:C/A:C\",\"baseScore\":6.8,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.2,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-259\"},{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"references\":[{\"url\":\"https://github.com/geo-chen/IROAD#finding-3-bypassing-of-device-pairing-cwe-798-for-iroad-x-series\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?ctiid.299809\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?id.299809\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?submit.516881\",\"source\":\"cna@vuldb.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"IROAD Dash Cam X5/Dash Cam X6 Device Pairing hard-coded credentials\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"geochen (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.7, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 6.8, \"vectorString\": \"AV:A/AC:H/Au:N/C:C/I:C/A:C\"}}], \"affected\": [{\"vendor\": \"IROAD\", \"modules\": [\"Device Pairing\"], \"product\": \"Dash Cam X5\", \"versions\": [{\"status\": \"affected\", \"version\": \"20250308\"}]}, {\"vendor\": \"IROAD\", \"modules\": [\"Device Pairing\"], \"product\": \"Dash Cam X6\", \"versions\": [{\"status\": \"affected\", \"version\": \"20250308\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-03-15T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2025-03-15T01:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-03-15T19:27:50.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.299809\", \"name\": \"VDB-299809 | IROAD Dash Cam X5/Dash Cam X6 Device Pairing hard-coded credentials\", \"tags\": [\"vdb-entry\"]}, {\"url\": \"https://vuldb.com/?ctiid.299809\", \"name\": \"VDB-299809 | CTI Indicators (IOB, IOC, TTP)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.516881\", \"name\": \"Submit #516881 | IROAD Dashcam X series Authentication Bypass by Primary Weakness\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/geo-chen/IROAD#finding-3-bypassing-of-device-pairing-cwe-798-for-iroad-x-series\", \"tags\": [\"related\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.\"}, {\"lang\": \"de\", \"value\": \"In IROAD Dash Cam X5 and Dash Cam X6 bis 20250308 wurde eine kritische Schwachstelle entdeckt. Hierbei betrifft es unbekannten Programmcode der Komponente Device Pairing. Durch Manipulation mit unbekannten Daten kann eine hard-coded credentials-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff im lokalen Netzwerk. Die Komplexit\\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"Hard-coded Credentials\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-259\", \"description\": \"Use of Hard-coded Password\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-03-16T17:31:04.395Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-2343\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-17T14:17:39.884417Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-03-17T14:17:43.585Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-2343\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-16T17:31:04.395Z\", \"dateReserved\": \"2025-03-15T18:22:22.068Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2025-03-16T17:31:04.395Z\", \"assignerShortName\": \"VulDB\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.