CVE-2025-59407
Published: 02 October 2025
Summary
CVE-2025-59407 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Flocksafety Flock Safety. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-12 requires secure establishment and management of cryptographic keys, directly preventing the bundling of keystores with hardcoded passwords and private keys in application code.
IA-5 mandates protection of authenticators from unauthorized disclosure, addressing the hardcoded keystore password embedded in the application.
SA-8 applies security engineering principles in development to avoid design flaws like hard-coded cryptographic keys and passwords.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded keystore password and bundled private key in the Android app enable adversaries to extract credentials from files and access private keys.
NVD Description
The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles a Java Keystore (flock_rye.bks) along with its hardcoded password (flockhibiki17) in its code. The keystore contains…
more
a private key.
Deeper analysisAI
CVE-2025-59407 is a critical vulnerability in the Flock Safety DetectionProcessing application (package com.flocksafety.android.objects) version 6.35.33 for Android, deployed on Falcon and Sparrow License Plate Readers as well as Bravo Edge AI Compute Devices. The flaw stems from the application bundling a Java Keystore file named flock_rye.bks, which contains a private key, alongside its hardcoded password "flockhibiki17" embedded directly in the code. Classified under CWE-321 (Use of Hard-coded Cryptographic Key), it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating severe risk due to the exposure of sensitive cryptographic material.
The vulnerability can be exploited by any unauthenticated network attacker requiring low complexity and no user interaction. Access to the keystore via the hardcoded password allows extraction of the private key, enabling high-impact confidentiality, integrity, and availability compromises, such as unauthorized decryption, key misuse for authentication bypass, or broader system manipulation depending on the key's role in device operations.
Advisories and research details are available in GainSec's publications, including the blog post at https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/ and the PDF report at https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf. Additional context on affected products appears on Flock Safety's sites at https://www.flocksafety.com/products and https://www.flocksafety.com/products/license-plate-readers.
Details
- CWE(s)