关键漏洞信息 Finding 1: CVE-2025-7075 - Unauthenticated Upload Endpoint on HTTP Vulnerability Type: Incorrect Access Control Vendor of Product: BlackVue Affected Product Code Base: BlackVue Dashcam 590X Affected Component: Upload mechanism Attack Type: Remote Impact: Code execution, Information Disclosure Attack Vectors: An attacker can upload malware onto the dashcam via an unauthenticated upload endpoint on the dashcam's HTTP server. Vendor Acknowledgment: Yes Finding 2: CVE-2025-7076 - Unauthenticated Modifications to Dashcam Configurations Vulnerability Type: Incorrect Access Control Vendor of Product: BlackVue Affected Product Code Base: BlackVue Dashcam 590X Affected Component: Unauthenticated Configuration Management Attack Type: Remote Impact: Code execution, Information Disclosure Attack Vectors: A remote attacker can leverage the lack of authentication on configuration management to disable battery protection on the dashcam to drain the car's battery. Vendor Acknowledgment: Yes Finding 3: CVE-2025-2355 - Hardcoded secrets exposed in plaintext + client secrets sent via GET Vulnerability Type: Information Disclosure Vendor of Product: BlackVue Affected Product Code Base: BlackVue v3.05 APK Affected Component: API endpoints Impact: Exposure of hardcoded secrets and client secrets via GET requests. Finding 4: CVE-2025-2356 - Unauthorized API calls to change settings such as delete device Vulnerability Type: Authorization Bypass Vendor of Product: BlackVue Affected Product Code Base: BlackVue v3.05 APK Affected Component: API endpoints Impact: Arbitrary changes or remotely control the account/device. Attack Vectors: Most of the sensitive API endpoints require userToken, which is transmitted via GET parameter. Finding 5: Misconfigured Cloud Devices Exposing Live Feeds, Location, Even Car Plates Vulnerability Type: Misconfiguration Vendor of Product: BlackVue Affected Product Code Base: Cloud devices Impact: Exposure of live feeds, location, and even car plates. Disclosure Timeline 25 Feb 2025 - disclosed to BlackVue 26 Feb 2025 - acknowledged by BlackVue 5 Mar 2025 - accepted by BlackVue 16 Mar 2025 - CVEs published