Cyber Resilience

CVE-2025-59407

CriticalPublic PoC

Published: 02 October 2025

Published
02 October 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59407 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Flocksafety Flock Safety. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Mobile/Edge AI; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Deeper analysis

CVE-2025-59407 is a critical vulnerability in the Flock Safety DetectionProcessing application (package com.flocksafety.android.objects) version 6.35.33 for Android, deployed on Falcon and Sparrow License Plate Readers as well as Bravo Edge AI Compute Devices. The flaw stems from the application bundling a Java Keystore file named flock_rye.bks, which contains a private key, alongside its hardcoded password "flockhibiki17" embedded directly in the code. Classified under CWE-321 (Use of Hard-coded Cryptographic Key), it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating severe risk due to the exposure of sensitive cryptographic material.

The vulnerability can be exploited by any unauthenticated network attacker requiring low complexity and no user interaction. Access to the keystore via the hardcoded password allows extraction of the private key, enabling high-impact confidentiality, integrity, and availability compromises, such as unauthorized decryption, key misuse for authentication bypass, or broader system manipulation depending on the key's role in device operations.

Advisories and research details are available in GainSec's publications, including the blog post at https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/ and the PDF report at https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf. Additional context on affected products appears on Flock Safety's sites at https://www.flocksafety.com/products and https://www.flocksafety.com/products/license-plate-readers.

EU & UK References

Vulnerability details

The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles a Java Keystore (flock_rye.bks) along with its hardcoded password (flockhibiki17) in its code. The keystore contains…

more

a private key.

CWE(s)

AI Security AnalysisAI

AI Category
Mobile/Edge AI
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1552.004 Private Keys Credential Access
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
Why these techniques?

Hardcoded keystore password and bundled private key in the Android app enable adversaries to extract credentials from files and access private keys.

CVEs Like This One

CVE-2025-59403Same product: Flocksafety Flock Safety
CVE-2024-52881Shared CWE-321
CVE-2026-22906Shared CWE-321
CVE-2026-32324Shared CWE-321
CVE-2025-67305Shared CWE-321
CVE-2024-33504Shared CWE-321
CVE-2025-34256Shared CWE-321
CVE-2025-15016Shared CWE-321
CVE-2025-67112Shared CWE-321
CVE-2025-27674Shared CWE-321

Affected Assets

flocksafety
flock safety
6.35.33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-12 requires secure establishment and management of cryptographic keys, directly preventing the bundling of keystores with hardcoded passwords and private keys in application code.

prevent

IA-5 mandates protection of authenticators from unauthorized disclosure, addressing the hardcoded keystore password embedded in the application.

prevent

SA-8 applies security engineering principles in development to avoid design flaws like hard-coded cryptographic keys and passwords.

References