CRITICAL🇵🇱 Wersja polska

CVE-2025-59403

CVSS 9.8v3.1pub. 2025-10-02upd. 2025-11-24

The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access.

🤖 AI Analysis
How it works

The Collins application, responsible for handling the video stream of Falcon, Sparrow, and Bravo cameras, exposes a number of administrative HTTP endpoints on port 8080 without requiring authentication. The /reboot endpoint allows for remote device restart (DoS), the /logs endpoint discloses diagnostic data (information disclosure), while the /adb/enable endpoint launches Android Debug Bridge (ADB) over TCP without debugging mode confirmation. An attacker within reach of the LAN or WLAN network can thereby gain full access to the device's system shell without any credentials.

Impact

An attacker on the local network can gain full control of the device through RCE with shell access, disable the camera via DoS, and obtain sensitive data from system logs and diagnostic packets.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with the references. Until updates are applied, it is recommended to implement network isolation of Flock Safety devices (network segmentation, firewall) so that port 8080 is not accessible to unauthorized clients on the LAN/WLAN.

Who is affected

Flock Safety Android Collins (com.flocksafety.android.collins) version 6.35.31, supporting Flock Safety camera devices Falcon, Sparrow, and Bravo

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Flocksafety Flock Safety

    APP
    Flocksafety
    6.35.31
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDoS
CWE
References

Related vulnerabilities

CVE-2025-59407CRITICAL9.8PL ✓ten sam produkt

Hardcoded hasło do Java Keystore w aplikacji Flock Safety na Android

CVE-2025-59405HIGH7.5ten sam produkt

The Flock Safety Peripheral com.flocksafety.android.peripheral application 7.38.3 for Android (installed on Fa...

CVE-2025-59406MEDIUM6.2ten sam produkt

The Flock Safety Pisco com.flocksafety.android.pisco application 6.21.11 for Android (installed on Falcon and ...

CVE-2025-59409HIGH7.5ten sam vendor

Flock Safety Falcon and Sparrow License Plate Readers OPM1.171019.026 ship with development Wi-Fi credentials ...

CVE-2025-59404HIGH7.5ten sam vendor

Flock Safety Bravo Edge AI Compute Device BRAVO_00.00_local_20241017 ships with its bootloader unlocked. This ...