CVE-2025-59403

CriticalPublic PoC

Published: 02 October 2025

Published

02 October 2025

Modified

24 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0275 86.1th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59403 is a critical-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Flocksafety Flock Safety. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-41 (Port and I/O Device Access).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 6 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthenticated exploitation of administrative API endpoints like /reboot, /logs, and /adb/enable.

SC-7 Boundary Protection good match

prevent

Monitors and controls communications at system boundaries to block unauthorized network access to port 8080 hosting the exposed unauthenticated APIs.

SC-41 Port and I/O Device Access good match

prevent

Restricts the use of TCP port 8080 and associated protocols/services, preventing the Android Collins application from exposing dangerous administrative endpoints.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1529 System Shutdown/Reboot Impact

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

T1552.004 Private Keys Credential Access

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.

attack.mitre.org →

T1557.004 Evil Twin Credential Access

Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

Why these techniques?

Unauthenticated API endpoints enable exploitation for RCE via ADB shell (T1210, T1059.004), reboot/DoS (T1529), and local data disclosure via logs (T1005). Hardcoded credentials and keys in apps (T1552.001, T1552.004) and WiFi creds facilitate evil twin attacks (T1557.004).

NVD Description

The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are…

not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access.

Deeper analysisAI

CVE-2025-59403 is a critical vulnerability in the Flock Safety Android Collins application (package name com.flocksafety.android.collins), specifically version 6.35.31 for Android. This application manages camera feeds on Falcon, Sparrow, and Bravo devices but exposes multiple administrative API endpoints on TCP port 8080 without any authentication. Affected endpoints include, but are not limited to, /reboot, /logs, /crashpack, and /adb/enable. The issue stems from CWE-749 (Exposed Dangerous Method or Function) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker with network access to the exposed port can exploit these endpoints remotely. Potential impacts include denial of service through the /reboot endpoint, which forces a device restart; information disclosure via /logs and /crashpack, exposing sensitive logs and crash data; and remote code execution via /adb/enable, which starts Android Debug Bridge (ADB) over TCP without requiring debugging confirmation. This grants an attacker on the same LAN or WLAN shell access to the device.

Advisories detailing the vulnerability are published by GainSec at https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/ and https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf. Additional context on affected Flock Safety products, such as license plate readers, is available at https://www.flocksafety.com/products and https://www.flocksafety.com/products/license-plate-readers. No specific patch or mitigation details are provided in the CVE description.