CVE-2025-2350 – This critical vulnerability in IROAD Dash Cam F... (How to Fix)

Q: What is the severity of CVE-2025-2350?

CVE-2025-2350 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability in IROAD Dash Cam FX2 allows unauthenticated attackers on the local network to upload arbitrary files, potentially leading to webshell deployment and system compromise. It affects IROAD Dash Cam FX2 devices with firmware up to March 8, 2025. Attackers must have local network access to exploit this vulnerability.

📋 TL;DR

This critical vulnerability in IROAD Dash Cam FX2 allows unauthenticated attackers on the local network to upload arbitrary files, potentially leading to webshell deployment and system compromise. It affects IROAD Dash Cam FX2 devices with firmware up to March 8, 2025. Attackers must have local network access to exploit this vulnerability.

💻 Affected Systems

Products:

IROAD Dash Cam FX2

Versions: Up to firmware version 20250308 (March 8, 2025)

Operating Systems: Embedded/Linux-based dash cam firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /action/upload_file endpoint functionality. Requires local network access for exploitation.

📦 What is this software?

Fx2 Firmware by Iroadau

View all CVEs affecting Fx2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover via webshell, enabling persistent access, data exfiltration, lateral movement within the network, and potential use as a pivot point for further attacks.

🟠

Likely Case

Unauthenticated attackers upload malicious files to gain remote code execution, compromising the dash cam and potentially accessing stored video footage.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the isolated dash cam device without affecting other systems.

🌐 Internet-Facing: LOW - The vulnerability requires local network access according to the description.

🏢 Internal Only: HIGH - Any attacker on the local network can exploit this without authentication to achieve remote code execution.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub. The vulnerability allows unrestricted file upload without authentication, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor IROAD vendor website for firmware updates addressing CVE-2025-2350.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate dash cam devices on a separate VLAN with strict access controls

Firewall Rules

all

Block all inbound traffic to dash cam devices except from authorized management systems

🧯 If You Can't Patch

Segment dash cam network from critical systems using VLANs or physical separation
Implement strict network access controls and monitor for unusual upload activity to /action/upload_file

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or device settings. If version is 20250308 or earlier, device is vulnerable.

Check Version:

Check device web interface at http://[device-ip]/ or consult device documentation for version checking

Verify Fix Applied:

Verify firmware version is newer than 20250308 and test that /action/upload_file endpoint rejects unauthorized uploads.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /action/upload_file endpoint
Unexpected process execution on dash cam device

Network Indicators:

HTTP POST requests to /action/upload_file from unauthorized sources
Unexpected outbound connections from dash cam devices

SIEM Query:

source_ip IN (dash_cam_ips) AND http_path:"/action/upload_file" AND http_method:POST

📊 Metadata

CVE ID: CVE-2025-2350

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.06% exploit probability (17.6th percentile)

Published: March 16, 2025

Last Updated: November 6, 2025

🔗 References

https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-10-unauthenticated-uploads Third Party Advisory
https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-11-unrestricted-webshell Third Party Advisory
https://vuldb.com/?ctiid.299816 Permissions Required,VDB Entry
https://vuldb.com/?id.299816 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2350, you might also want to check these: