CVE-2025-59407
Published: 02 October 2025
Summary
CVE-2025-59407 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Flocksafety Flock Safety. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Mobile/Edge AI; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).
Deeper analysis
CVE-2025-59407 is a critical vulnerability in the Flock Safety DetectionProcessing application (package com.flocksafety.android.objects) version 6.35.33 for Android, deployed on Falcon and Sparrow License Plate Readers as well as Bravo Edge AI Compute Devices. The flaw stems from the application bundling a Java Keystore file named flock_rye.bks, which contains a private key, alongside its hardcoded password "flockhibiki17" embedded directly in the code. Classified under CWE-321 (Use of Hard-coded Cryptographic Key), it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating severe risk due to the exposure of sensitive cryptographic material.
The vulnerability can be exploited by any unauthenticated network attacker requiring low complexity and no user interaction. Access to the keystore via the hardcoded password allows extraction of the private key, enabling high-impact confidentiality, integrity, and availability compromises, such as unauthorized decryption, key misuse for authentication bypass, or broader system manipulation depending on the key's role in device operations.
Advisories and research details are available in GainSec's publications, including the blog post at https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/ and the PDF report at https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf. Additional context on affected products appears on Flock Safety's sites at https://www.flocksafety.com/products and https://www.flocksafety.com/products/license-plate-readers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-32590
Vulnerability details
The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles a Java Keystore (flock_rye.bks) along with its hardcoded password (flockhibiki17) in its code. The keystore contains…
more
a private key.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Mobile/Edge AI
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded keystore password and bundled private key in the Android app enable adversaries to extract credentials from files and access private keys.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-12 requires secure establishment and management of cryptographic keys, directly preventing the bundling of keystores with hardcoded passwords and private keys in application code.
IA-5 mandates protection of authenticators from unauthorized disclosure, addressing the hardcoded keystore password embedded in the application.
SA-8 applies security engineering principles in development to avoid design flaws like hard-coded cryptographic keys and passwords.