{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2343", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-03-15T18:22:22.068Z", "datePublished": "2025-03-16T17:31:04.395Z", "dateUpdated": "2025-03-17T14:17:49.548Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-03-16T17:31:04.395Z"}, "title": "IROAD Dash Cam X5/Dash Cam X6 Device Pairing hard-coded credentials", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-798", "lang": "en", "description": "Hard-coded Credentials"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-259", "lang": "en", "description": "Use of Hard-coded Password"}]}], "affected": [{"vendor": "IROAD", "product": "Dash Cam X5", "versions": [{"version": "20250308", "status": "affected"}], "modules": ["Device Pairing"]}, {"vendor": "IROAD", "product": "Dash Cam X6", "versions": [{"version": "20250308", "status": "affected"}], "modules": ["Device Pairing"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "In IROAD Dash Cam X5 and Dash Cam X6 bis 20250308 wurde eine kritische Schwachstelle entdeckt. Hierbei betrifft es unbekannten Programmcode der Komponente Device Pairing. Durch Manipulation mit unbekannten Daten kann eine hard-coded credentials-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff im lokalen Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "baseSeverity": "HIGH"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.8, "vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C"}}], "timeline": [{"time": "2025-03-15T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-03-15T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-03-15T19:27:50.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "geochen (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.299809", "name": "VDB-299809 | IROAD Dash Cam X5/Dash Cam X6 Device Pairing hard-coded credentials", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.299809", "name": "VDB-299809 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.516881", "name": "Submit #516881 | IROAD Dashcam X series Authentication Bypass by Primary Weakness", "tags": ["third-party-advisory"]}, {"url": "https://github.com/geo-chen/IROAD#finding-3-bypassing-of-device-pairing-cwe-798-for-iroad-x-series", "tags": ["related"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-17T14:17:39.884417Z", "id": "CVE-2025-2343", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T14:17:49.548Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "IROAD Dash Cam X5/Dash Cam X6 Device Pairing hard-coded credentials", "credits": [{"lang": "en", "type": "reporter", "value": "geochen (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.8, "vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C"}}], "affected": [{"vendor": "IROAD", "modules": ["Device Pairing"], "product": "Dash Cam X5", "versions": [{"status": "affected", "version": "20250308"}]}, {"vendor": "IROAD", "modules": ["Device Pairing"], "product": "Dash Cam X6", "versions": [{"status": "affected", "version": "20250308"}]}], "timeline": [{"lang": "en", "time": "2025-03-15T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-03-15T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-03-15T19:27:50.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.299809", "name": "VDB-299809 | IROAD Dash Cam X5/Dash Cam X6 Device Pairing hard-coded credentials", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.299809", "name": "VDB-299809 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.516881", "name": "Submit #516881 | IROAD Dashcam X series Authentication Bypass by Primary Weakness", "tags": ["third-party-advisory"]}, {"url": "https://github.com/geo-chen/IROAD#finding-3-bypassing-of-device-pairing-cwe-798-for-iroad-x-series", "tags": ["related"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "In IROAD Dash Cam X5 and Dash Cam X6 bis 20250308 wurde eine kritische Schwachstelle entdeckt. Hierbei betrifft es unbekannten Programmcode der Komponente Device Pairing. Durch Manipulation mit unbekannten Daten kann eine hard-coded credentials-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff im lokalen Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "Hard-coded Credentials"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-259", "description": "Use of Hard-coded Password"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-03-16T17:31:04.395Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2343", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-17T14:17:39.884417Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-03-17T14:17:43.585Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-2343", "state": "PUBLISHED", "dateUpdated": "2025-03-16T17:31:04.395Z", "dateReserved": "2025-03-15T18:22:22.068Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-03-16T17:31:04.395Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2025-2343", "lastModified": "2025-03-16T18:15:11.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.8, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.2, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-03-16T18:15:11.830", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/geo-chen/IROAD#finding-3-bypassing-of-device-pairing-cwe-798-for-iroad-x-series"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.299809"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.299809"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.516881"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-259"}, {"lang": "en", "value": "CWE-798"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}