CVE-2024-56897
Published: 24 February 2025
Summary
CVE-2024-56897 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Yitechnology Yi Car Dashcam Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 48.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-56897 is an improper access control vulnerability (CWE-434) in the HTTP server of YI Car Dashcam firmware version 3.88. The flaw enables unrestricted file downloads and uploads, as well as execution of arbitrary API commands without authentication. These API commands allow unauthorized modifications to device settings, such as disabling recording, disabling sounds, and initiating a factory reset. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical.
Remote attackers with network access to the device can exploit this vulnerability with low complexity and no required privileges or user interaction. Successful exploitation grants full control over file operations, potentially exposing sensitive data like video recordings through downloads or introducing malware via uploads. Attackers can also disrupt device functionality by altering settings, rendering the dashcam inoperable for surveillance or evidence collection.
Mitigation details are outlined in researcher disclosures, including the Medium article at https://geochen.medium.com/cve-2024-56897-yi-car-dashcam-39304a4b21b4 and the GitHub repository https://github.com/geo-chen/YI-Smart-Dashcam/, which provide proof-of-concept code and analysis. The product page at https://yitechnology.com.sg/products/dash-camera/ offers device information, though no official patches are referenced in the CVE details. Security practitioners should isolate affected devices and monitor for firmware updates from YI Technology.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4285
Vulnerability details
Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds,…
more
factory reset.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of public-facing HTTP server (T1190), leveraging default/weak accounts (T1078.001), exfiltration of local data via unrestricted downloads (T1005), ingress of tools via uploads (T1105), and impairing device defenses via API commands to disable recording/sounds and perform factory reset (T1562).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires the enforcement of approved authorizations for access to system resources, directly preventing unauthorized file downloads, uploads, and API commands in the HTTP server.
AC-14 explicitly identifies and limits actions allowable without identification or authentication, countering the unrestricted access to device settings and files.
AC-17 authorizes, monitors, and controls remote access mechanisms, mitigating network-based exploitation of the HTTP server's improper access controls.