Cyber Resilience

CVE-2024-56897

CriticalPublic PoC

Published: 24 February 2025

Published
24 February 2025
Modified
03 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 48.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56897 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Yitechnology Yi Car Dashcam Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 48.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-56897 is an improper access control vulnerability (CWE-434) in the HTTP server of YI Car Dashcam firmware version 3.88. The flaw enables unrestricted file downloads and uploads, as well as execution of arbitrary API commands without authentication. These API commands allow unauthorized modifications to device settings, such as disabling recording, disabling sounds, and initiating a factory reset. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical.

Remote attackers with network access to the device can exploit this vulnerability with low complexity and no required privileges or user interaction. Successful exploitation grants full control over file operations, potentially exposing sensitive data like video recordings through downloads or introducing malware via uploads. Attackers can also disrupt device functionality by altering settings, rendering the dashcam inoperable for surveillance or evidence collection.

Mitigation details are outlined in researcher disclosures, including the Medium article at https://geochen.medium.com/cve-2024-56897-yi-car-dashcam-39304a4b21b4 and the GitHub repository https://github.com/geo-chen/YI-Smart-Dashcam/, which provide proof-of-concept code and analysis. The product page at https://yitechnology.com.sg/products/dash-camera/ offers device information, though no official patches are referenced in the CVE details. Security practitioners should isolate affected devices and monitor for firmware updates from YI Technology.

EU & UK References

Vulnerability details

Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds,…

more

factory reset.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Vulnerability enables exploitation of public-facing HTTP server (T1190), leveraging default/weak accounts (T1078.001), exfiltration of local data via unrestricted downloads (T1005), ingress of tools via uploads (T1105), and impairing device defenses via API commands to disable recording/sounds and perform factory reset (T1562).

CVEs Like This One

CVE-2026-2269Shared CWE-434
CVE-2025-25783Shared CWE-434
CVE-2025-27683Shared CWE-434
CVE-2024-8958Shared CWE-434
CVE-2025-57795Shared CWE-434
CVE-2020-37117Shared CWE-434
CVE-2024-41340Shared CWE-434
CVE-2025-6207Shared CWE-434
CVE-2024-50620Shared CWE-434
CVE-2025-12171Shared CWE-434

Affected Assets

yitechnology
yi car dashcam firmware
3.88

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires the enforcement of approved authorizations for access to system resources, directly preventing unauthorized file downloads, uploads, and API commands in the HTTP server.

prevent

AC-14 explicitly identifies and limits actions allowable without identification or authentication, countering the unrestricted access to device settings and files.

AC-17 Remote Access partial match
prevent

AC-17 authorizes, monitors, and controls remote access mechanisms, mitigating network-based exploitation of the HTTP server's improper access controls.

References