CVE-2025-45583 is a critical vulnerability affecting the FTP protocol implementation in the Audi UTR 2.0 Universal Traffic Recorder 2.0. The core issue is an incorrect access control mechanism that allows attackers to bypass authentication entirely by using any arbitrary combination of username and password. This vulnerability falls under CWE-287, which relates to improper authentication. The vulnerability has a CVSS v3.1 base score of 9.1, indicating a critical severity level. The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N describes a network attack vector with low attack complexity, no privileges required, no user interaction, unchanged scope, and high impact on confidentiality and integrity, but no impact on availability. In practical terms, an attacker can remotely connect to the FTP service of the Audi UTR 2.0 device and gain unauthorized access without valid credentials. This access could allow the attacker to read or modify sensitive traffic recording data, potentially compromising the integrity and confidentiality of recorded traffic information. Since the vulnerability affects a traffic recorder device, it may be used in environments such as traffic monitoring, law enforcement, or transportation infrastructure, where data integrity and confidentiality are critical. No patches or mitigations have been published yet, and no known exploits are reported in the wild as of the publication date. The vulnerability was reserved in April 2025 and published in September 2025, indicating recent discovery and disclosure.

For European organizations, especially those involved in traffic management, law enforcement, or smart city infrastructure, this vulnerability poses a significant risk. Unauthorized access to traffic recorder devices could lead to exposure or manipulation of sensitive traffic data, undermining public safety and trust. Attackers could alter recorded data to evade traffic enforcement or disrupt traffic monitoring systems. The confidentiality breach could expose personally identifiable information or vehicle tracking data, violating privacy regulations such as GDPR. Integrity compromise could affect legal evidence or operational decisions based on traffic data. Although availability is not directly impacted, the loss of trust in data accuracy can have operational consequences. Given the critical CVSS score and ease of exploitation (no authentication or user interaction required), attackers could quickly leverage this vulnerability to gain persistent unauthorized access. This could also serve as a foothold for lateral movement within organizational networks if the device is connected to broader infrastructure.

Immediate mitigation should focus on network-level controls to restrict access to the vulnerable FTP service. Organizations should implement strict firewall rules to limit FTP access only to trusted management networks or devices. Network segmentation should isolate the Audi UTR 2.0 devices from general user networks and the internet. Monitoring network traffic for unusual FTP connection attempts or unauthorized access patterns is recommended. Since no patches are currently available, organizations should consider disabling the FTP service on these devices if operationally feasible or replacing the device with a more secure alternative. If disabling FTP is not possible, deploying an application-layer firewall or FTP proxy that enforces authentication could help mitigate unauthorized access. Additionally, organizations should review and harden access credentials and audit logs for suspicious activity. Planning for rapid deployment of vendor patches or firmware updates once released is critical. Finally, organizations should conduct a risk assessment to identify all Audi UTR 2.0 devices in their environment and prioritize remediation efforts accordingly.