CVE-2025-2347
Published: 16 March 2025
Summary
CVE-2025-2347 is a medium-severity Use of Default Password (CWE-1393) vulnerability in Iroadau Fx2 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires changing default authenticators prior to first use, preventing exploitation of the hardcoded default password triggered by specific input in device registration.
Mandates timely identification, reporting, and correction of known flaws like this firmware vulnerability through patching or updates.
Requires device identification and authentication before establishing connections, mitigating unauthorized registration or pairing bypass attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables bypass of device pairing/registration by using the default WiFi password 'qwertyuiop' to connect to the dashcam's network and access the HTTP server without authentication, facilitating initial access via default accounts.
NVD Description
A vulnerability was found in IROAD Dash Cam FX2 up to 20250308 and classified as problematic. This issue affects some unknown processing of the component Device Registration. The manipulation of the argument Password with the input qwertyuiop leads to use…
more
of default password. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2347 is a vulnerability in IROAD Dash Cam FX2 firmware versions up to 20250308, classified as problematic and tied to CWE-1393. It affects the Device Registration component, where manipulation of the Password argument using the input "qwertyuiop" triggers use of a default password, bypassing proper authentication. The issue was published on 2025-03-16 and carries a CVSS v3.1 base score of 6.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
An attacker on the adjacent local network can exploit this vulnerability without privileges or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized device registration or pairing bypass.
Advisories and details are available in referenced sources, including a GitHub repository documenting the device pairing/registration bypass (https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-7-bypass-of-device-pairingregistration-for-iroad-fx2) and VulDB entries (https://vuldb.com/?ctiid.299813, https://vuldb.com/?id.299813). The exploit has been publicly disclosed and may be used.
The vulnerability's public disclosure increases the risk of exploitation in environments with exposed IROAD Dash Cam FX2 devices on local networks.
Details
- CWE(s)