Search
Search Results (5 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59409 | 1 Flocksafety | 2 Falcon, Sparrow License Plate Reader | 2025-10-03 | 7.5 High |
| Flock Safety Falcon and Sparrow License Plate Readers OPM1.171019.026 ship with development Wi-Fi credentials (test_flck) stored in cleartext in production firmware. | ||||
| CVE-2025-59407 | 3 Flock Safety, Flocksafety, Google | 6 Bravo Edge Ai Compute Device, Bravo Edge Ai Compute Device, Detectionprocessing and 3 more | 2025-10-03 | 9.8 Critical |
| The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles a Java Keystore (flock_rye.bks) along with its hardcoded password (flockhibiki17) in its code. The keystore contains a private key. | ||||
| CVE-2025-59405 | 2 Flocksafety, Google | 5 Bravo Edge Ai Compute Device, Falcon, License Plate Reader and 2 more | 2025-10-03 | 7.5 High |
| The Flock Safety Peripheral com.flocksafety.android.peripheral application 7.38.3 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) contains a cleartext DataDog API key within in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover the OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software. | ||||
| CVE-2025-59403 | 2 Flocksafety, Google | 5 Bravo Edge Ai Compute Device, Collins, Falcon and 2 more | 2025-10-03 | 6.5 Medium |
| The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access. | ||||
| CVE-2025-59406 | 3 Flock Safety, Flocksafety, Google | 6 Bravo Edge Ai Compute Device, Bravo Edge Ai Compute Device, Falcon and 3 more | 2025-10-03 | 6.2 Medium |
| The Flock Safety Pisco com.flocksafety.android.pisco application 6.21.11 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) has a cleartext Auth0 client secret in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover this OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software. | ||||
Page 1 of 1.