Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for X5 Mobile App by IROAD

    CVE-2025-2342 (GCVE-0-2025-2342)

    Vulnerability from nvd – Published: 2025-03-16 16:00 – Updated: 2025-03-17 14:18
    VLAI
    Title
    IROAD X5 Mobile App API Endpoint hard-coded credentials
    Summary
    A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Hard-coded Credentials
    • CWE-259 - Use of Hard-coded Password
    Assigner
    References
    Impacted products
    Vendor Product Version
    IROAD X5 Mobile App Affected: 5.2.0
    Affected: 5.2.1
    Affected: 5.2.2
    Affected: 5.2.3
    Affected: 5.2.4
    Affected: 5.2.5
    Create a notification for this product.
    Credits
    geochen (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2342",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-17T14:18:16.406704Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-17T14:18:23.651Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "API Endpoint"
              ],
              "product": "X5 Mobile App",
              "vendor": "IROAD",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.2.0"
                },
                {
                  "status": "affected",
                  "version": "5.2.1"
                },
                {
                  "status": "affected",
                  "version": "5.2.2"
                },
                {
                  "status": "affected",
                  "version": "5.2.3"
                },
                {
                  "status": "affected",
                  "version": "5.2.4"
                },
                {
                  "status": "affected",
                  "version": "5.2.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "geochen (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Es wurde eine kritische Schwachstelle in IROAD X5 Mobile App bis 5.2.5 f\u00fcr Android entdeckt. Dabei betrifft es einen unbekannter Codeteil der Komponente API Endpoint. Durch die Manipulation mit unbekannten Daten kann eine hard-coded credentials-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-259",
                  "description": "Use of Hard-coded Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-16T16:00:07.647Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-299808 | IROAD X5 Mobile App API Endpoint hard-coded credentials",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/?id.299808"
            },
            {
              "name": "VDB-299808 | CTI Indicators (IOB, IOC, TTP)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.299808"
            },
            {
              "name": "Submit #512419 | IROAD Dashcam APK 5.2.5 Plaintext Password in Configuration File",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.512419"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-2-hardcoded-credentials-in-apk-iroad--v525-to-ports-9091-and-9092"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-15T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-03-15T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-03-15T19:27:49.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "IROAD X5 Mobile App API Endpoint hard-coded credentials"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-2342",
        "datePublished": "2025-03-16T16:00:07.647Z",
        "dateReserved": "2025-03-15T18:22:19.438Z",
        "dateUpdated": "2025-03-17T14:18:23.651Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2342 (GCVE-0-2025-2342)

    Vulnerability from cvelistv5 – Published: 2025-03-16 16:00 – Updated: 2025-03-17 14:18
    VLAI
    Title
    IROAD X5 Mobile App API Endpoint hard-coded credentials
    Summary
    A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Hard-coded Credentials
    • CWE-259 - Use of Hard-coded Password
    Assigner
    References
    Impacted products
    Vendor Product Version
    IROAD X5 Mobile App Affected: 5.2.0
    Affected: 5.2.1
    Affected: 5.2.2
    Affected: 5.2.3
    Affected: 5.2.4
    Affected: 5.2.5
    Create a notification for this product.
    Credits
    geochen (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2342",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-17T14:18:16.406704Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-17T14:18:23.651Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "API Endpoint"
              ],
              "product": "X5 Mobile App",
              "vendor": "IROAD",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.2.0"
                },
                {
                  "status": "affected",
                  "version": "5.2.1"
                },
                {
                  "status": "affected",
                  "version": "5.2.2"
                },
                {
                  "status": "affected",
                  "version": "5.2.3"
                },
                {
                  "status": "affected",
                  "version": "5.2.4"
                },
                {
                  "status": "affected",
                  "version": "5.2.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "geochen (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Es wurde eine kritische Schwachstelle in IROAD X5 Mobile App bis 5.2.5 f\u00fcr Android entdeckt. Dabei betrifft es einen unbekannter Codeteil der Komponente API Endpoint. Durch die Manipulation mit unbekannten Daten kann eine hard-coded credentials-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-259",
                  "description": "Use of Hard-coded Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-16T16:00:07.647Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-299808 | IROAD X5 Mobile App API Endpoint hard-coded credentials",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/?id.299808"
            },
            {
              "name": "VDB-299808 | CTI Indicators (IOB, IOC, TTP)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.299808"
            },
            {
              "name": "Submit #512419 | IROAD Dashcam APK 5.2.5 Plaintext Password in Configuration File",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.512419"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-2-hardcoded-credentials-in-apk-iroad--v525-to-ports-9091-and-9092"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-15T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-03-15T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-03-15T19:27:49.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "IROAD X5 Mobile App API Endpoint hard-coded credentials"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-2342",
        "datePublished": "2025-03-16T16:00:07.647Z",
        "dateReserved": "2025-03-15T18:22:19.438Z",
        "dateUpdated": "2025-03-17T14:18:23.651Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }