CVE-2025-2350
Published: 16 March 2025
Summary
CVE-2025-2350 is a medium-severity Improper Access Control (CWE-284) vulnerability in Iroadau Fx2 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved access authorizations, directly preventing unauthenticated unrestricted file uploads to the /action/upload_file endpoint.
SI-10 validates inputs to block unrestricted uploads of dangerous file types, addressing CWE-434 in the IROAD Dash Cam FX2 vulnerability.
AC-14 explicitly limits permitted actions without identification or authentication, mitigating unauthenticated access to the vulnerable upload functionality.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted unauthenticated file upload via /action/upload_file enables ingress tool transfer (T1105), exploitation of the web application (T1190), and deployment of web shells for execution/persistence (T1505.003).
NVD Description
A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted upload. Access to the local…
more
network is required for this attack to succeed. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2350 is a critical vulnerability in IROAD Dash Cam FX2 firmware versions up to 20250308, affecting an unknown functionality in the /action/upload_file endpoint. The issue enables unrestricted file upload, classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 6.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating medium severity by score but labeled critical in advisories.
Attackers with access to the local network can exploit this vulnerability without authentication or user interaction. By manipulating the upload_file endpoint, they can upload arbitrary files, potentially leading to unauthorized access, code execution, or deployment of webshells, as demonstrated in public proof-of-concept disclosures.
Advisories reference GitHub findings on unauthenticated uploads (Finding 10) and unrestricted webshell uploads (Finding 11) in the geo-chen/IROAD repository, along with VulDB entries (ctiid.299816 and id.299816). No specific patches or mitigations are detailed in the provided information.
The exploit has been publicly disclosed and may be usable by attackers, with publication on 2025-03-16.
Details
- CWE(s)