CVE-2025-2345
Published: 16 March 2025
Summary
CVE-2025-2345 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2025-2345 is a critical improper authorization vulnerability (classified under CWE-266 and CWE-285) found in IROAD Dash Cam X5 and Dash Cam X6 firmware versions up to 20250308. The issue affects an unspecified component within these dash cam devices, enabling manipulation that bypasses proper authorization controls. Published on 2025-03-16, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as very critical.
The vulnerability is remotely exploitable by unauthenticated attackers requiring low attack complexity and no user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, specifically allowing management of settings to obtain sensitive data and sabotage the car battery, as detailed in the associated GitHub findings.
Advisories from VulDB and the referenced GitHub repository indicate no vendor response despite early disclosure contact; thus, no official patches or mitigations are available. Security practitioners should isolate affected devices and monitor for unauthorized access until firmware updates are provided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6670
Vulnerability details
A vulnerability, which was classified as very critical, was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. This affects an unknown part. The manipulation leads to improper authorization. It is possible to initiate the attack…
more
remotely. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote improper authorization bypass in the network-accessible dash cam firmware directly enables exploitation of a public-facing application for initial access (T1190) and facilitates collection of sensitive data from the local system via unauthorized settings management (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the improper authorization vulnerability (CWE-285) by enforcing approved authorizations for logical access, preventing unauthenticated remote manipulation of dash cam settings and sensitive data.
Mitigates the remote (AV:N) exploitation vector by monitoring and controlling communications at network boundaries, blocking unauthorized access to vulnerable IROAD Dash Cam devices.
Limits damage from authorization bypass by applying least privilege, restricting unauthorized access to high-impact functions like sensitive data retrieval and car battery sabotage.