CVE-2025-2343

High

Published: 16 March 2025

Published

16 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2343 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Directly prohibits hard-coded credentials by requiring proper authenticator management, including changing defaults and protecting credentials used in the device pairing functionality.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and timely remediation of critical flaws like hard-coded credentials in the device pairing component.

IA-3 Device Identification and Authentication partial match

prevent

Requires robust device identification and authentication mechanisms that rely on managed authenticators, countering weak hard-coded credentials in pairing.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Hard-coded credentials (CWE-259/798) in the device pairing component directly enable bypassing authentication on the local network, mapping to use of default accounts for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to…

the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2025-2343 is a vulnerability classified as critical in IROAD Dash Cam X5 and Dash Cam X6 devices running firmware up to version 20250308. It affects an unknown functionality within the Device Pairing component, where hard-coded credentials (CWE-259 and CWE-798) enable manipulation. The issue carries a CVSS v3.1 base score of 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity despite the score falling in the High range.

An attacker with access to the local network (adjacent access) can exploit this vulnerability, which requires high attack complexity and appears difficult to execute. No privileges or user interaction are needed. Successful exploitation grants high impacts on confidentiality, integrity, and availability, allowing bypassing of device pairing authentication through the hard-coded credentials.

Advisories from VulDB and a GitHub disclosure detail the finding, including specifics on bypassing device pairing for IROAD X-series devices. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are mentioned in the available references.