CVE-2025-59406
📋 TL;DR
The Flock Safety Pisco Android application contains a hardcoded Auth0 client secret in its codebase, allowing attackers to extract this credential through reverse engineering. This enables unauthorized access to Auth0-protected resources and potential account compromise. All users of Flock Safety's Falcon, Sparrow License Plate Readers, and Bravo Edge AI Compute Devices running the vulnerable Android app are affected.
💻 Affected Systems
- Flock Safety Pisco Android Application
- Falcon License Plate Reader
- Sparrow License Plate Reader
- Bravo Edge AI Compute Device
📦 What is this software?
Flock Safety by Flocksafety
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to Auth0-protected backend systems, potentially compromising user accounts, accessing sensitive data, or performing actions as authenticated users.
Likely Case
Attackers extract the client secret to obtain unauthorized API access, potentially accessing license plate data, camera feeds, or other protected resources.
If Mitigated
Limited impact if Auth0 has additional security controls like IP restrictions, rate limiting, or if the secret is quickly rotated and invalidated.
🎯 Exploit Status
Exploitation requires reverse engineering the APK file using standard tools like apktool or jadx to extract the hardcoded secret.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
1. Contact Flock Safety for patch availability. 2. If patch is available, update the Android application to the fixed version. 3. Rotate all affected Auth0 client secrets immediately.
🔧 Temporary Workarounds
Auth0 Secret Rotation
allRotate the compromised Auth0 client secret to invalidate the exposed credential
Navigate to Auth0 Dashboard > Applications > Your Application > Settings > Rotate Secret
Network Segmentation
allRestrict network access to Auth0 endpoints from only authorized devices
🧯 If You Can't Patch
- Immediately rotate the Auth0 client secret and implement additional Auth0 security controls like IP allowlisting
- Monitor Auth0 logs for unauthorized access attempts and implement strict rate limiting
🔍 How to Verify
Check if Vulnerable:
Decompile the APK file using apktool or jadx and search for Auth0 client secrets in the codebaseCheck Version:
On Android device: Settings > Apps > Flock Safety Pisco > App info > VersionVerify Fix Applied:
Check that the updated APK no longer contains hardcoded Auth0 secrets and verify with Auth0 that new secret is in use📡 Detection & Monitoring
Log Indicators:
- Unusual Auth0 authentication patterns
- API access from unexpected locations or devices
Network Indicators:
- Unusual traffic to Auth0 endpoints from unexpected sources
SIEM Query:
source="auth0" AND (client_id="compromised_client_id" OR abnormal_auth_patterns)🔗 References
- https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/
- https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf
- https://www.flocksafety.com/products
- https://www.flocksafety.com/products/license-plate-readers
