Cyber Resilience

CVE-2025-2347

Medium

Published: 16 March 2025

Published
16 March 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 11.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2347 is a medium-severity Use of Default Password (CWE-1393) vulnerability in Iroadau Fx2 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-2347 is a vulnerability in IROAD Dash Cam FX2 firmware versions up to 20250308, classified as problematic and tied to CWE-1393. It affects the Device Registration component, where manipulation of the Password argument using the input "qwertyuiop" triggers use of a default password, bypassing proper authentication. The issue was published on 2025-03-16 and carries a CVSS v3.1 base score of 6.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

An attacker on the adjacent local network can exploit this vulnerability without privileges or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized device registration or pairing bypass.

Advisories and details are available in referenced sources, including a GitHub repository documenting the device pairing/registration bypass (https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-7-bypass-of-device-pairingregistration-for-iroad-fx2) and VulDB entries (https://vuldb.com/?ctiid.299813, https://vuldb.com/?id.299813). The exploit has been publicly disclosed and may be used.

The vulnerability's public disclosure increases the risk of exploitation in environments with exposed IROAD Dash Cam FX2 devices on local networks.

EU & UK References

Vulnerability details

A vulnerability was found in IROAD Dash Cam FX2 up to 20250308 and classified as problematic. This issue affects some unknown processing of the component Device Registration. The manipulation of the argument Password with the input qwertyuiop leads to use…

more

of default password. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The vulnerability enables bypass of device pairing/registration by using the default WiFi password 'qwertyuiop' to connect to the dashcam's network and access the HTTP server without authentication, facilitating initial access via default accounts.

CVEs Like This One

CVE-2025-30133Same product: Iroadau Fx2
CVE-2025-2350Same product: Iroadau Fx2
CVE-2025-22938Shared CWE-1393
CVE-2024-49559Shared CWE-1393
CVE-2026-33784Shared CWE-1393
CVE-2025-26793Shared CWE-1393
CVE-2026-4404Shared CWE-1393
CVE-2026-24429Shared CWE-1393
CVE-2026-2635Shared CWE-1393
CVE-2025-26701Shared CWE-1393

Affected Assets

iroadau
fx2 firmware
≤ 2025-03-08

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires changing default authenticators prior to first use, preventing exploitation of the hardcoded default password triggered by specific input in device registration.

prevent

Mandates timely identification, reporting, and correction of known flaws like this firmware vulnerability through patching or updates.

prevent

Requires device identification and authentication before establishing connections, mitigating unauthorized registration or pairing bypass attempts.

References