CVE-2025-45583 is a vulnerability identified in the FTP protocol implementation of the Audi UTR 2.0 Universal Traffic Recorder 2.0. The core issue is an incorrect access control mechanism that allows attackers to bypass authentication entirely by using any arbitrary combination of username and password. This means that the FTP service does not properly validate credentials, effectively granting unauthorized access to the device's FTP interface. The Universal Traffic Recorder is likely used for recording and storing traffic data, potentially including sensitive operational or surveillance information. The vulnerability arises from flawed authentication logic, which could be due to improper credential verification or a misconfiguration in the FTP server software embedded in the device. No specific affected versions are listed, and no patches or known exploits in the wild have been reported as of the publication date. The absence of a CVSS score suggests the vulnerability is newly disclosed and not yet fully assessed. However, the ability to authenticate without valid credentials represents a critical security flaw that can lead to unauthorized data access or manipulation. Attackers exploiting this vulnerability could gain read/write access to the FTP service, potentially allowing them to download sensitive data, upload malicious files, or disrupt device operations. Given the device's role in traffic recording, compromise could impact data integrity and availability, and may also expose sensitive surveillance or traffic monitoring data.

For European organizations, especially those involved in traffic management, urban planning, or law enforcement, this vulnerability poses a significant risk. Unauthorized access to the Universal Traffic Recorder could lead to leakage of sensitive traffic data, manipulation of recorded information, or disruption of traffic monitoring services. This could affect public safety, traffic flow management, and law enforcement investigations. Additionally, attackers could use the compromised device as a foothold within a network, potentially moving laterally to other critical infrastructure systems. The impact extends beyond data confidentiality to include integrity and availability of traffic data, which are crucial for operational decision-making. Given the critical nature of traffic infrastructure in European smart cities and transport networks, exploitation could have cascading effects on public services and citizen safety.

Organizations using Audi UTR 2.0 devices should immediately verify if their devices are affected by this vulnerability. Since no patches are currently available, mitigation should focus on network-level controls: restrict FTP access to trusted management networks only, implement network segmentation to isolate the device from broader enterprise networks, and monitor FTP traffic for unusual access patterns. Disabling FTP access entirely, if feasible, or replacing it with more secure transfer protocols (e.g., SFTP or FTPS) is recommended. Additionally, organizations should implement strict access controls and logging to detect unauthorized access attempts. Regularly auditing device configurations and firmware versions can help identify vulnerable devices. Once a patch or firmware update is released by the vendor, prompt application is critical. Finally, consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous FTP authentication behavior.