Cyber Resilience

CVE-2023-27746

CriticalPublic PoC

Published: 13 April 2023

Published
13 April 2023
Modified
07 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1011 93.3th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-27746 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Blackvue Dr750-2Ch Lte Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

BlackVue DR750-2CH LTE firmware version 1.012_2022.10.26 contains a weak default WPA2 passphrase that is susceptible to offline brute-force attacks once an attacker captures the four-way handshake. The issue is tracked as CVE-2023-27746 with a CVSS 3.1 score of 9.8 and is associated with CWE-307.

An attacker positioned on the same network or within radio range can intercept the WPA2 handshake and recover the passphrase through brute force, after which they obtain full network access to the dashcam and any connected systems. Because authentication attempts occur offline, rate limiting on the device provides no protection.

The EPSS score for this vulnerability has remained flat at 0.1011 with no material increase since disclosure. Public references consist primarily of vendor product pages and third-party GitHub repositories documenting the finding; no vendor advisory or firmware update addressing the default passphrase is referenced in the available sources.

EU & UK References

Vulnerability details

BlackVue DR750-2CH LTE v.1.012_2022.10.26 was discovered to contain a weak default passphrase which can be easily cracked via a brute force attack if the WPA2 handshake is intercepted.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

blackvue
dr750-2ch lte firmware
1.012_2022.10.26
blackvue
dr750-2ch ir lte firmware
1.012_2022.10.26

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

References