CVE-2025-59403 is a critical vulnerability affecting the Flock Safety Android Collins application (com.flocksafety.android.collins) version 6.35.31, which manages camera feeds for Falcon, Sparrow, and Bravo devices. The core issue is the lack of authentication on administrative API endpoints exposed on port 8080. These endpoints include /reboot, /logs, /crashpack, and /adb/enable, among others. Because these endpoints are accessible without any authentication, an attacker within the local area network (LAN) or wireless LAN (WLAN) can exploit them to perform multiple malicious actions. The /reboot endpoint can be used to cause denial of service (DoS) by repeatedly rebooting the device, disrupting surveillance operations. The /logs endpoint exposes sensitive information, leading to information disclosure that could aid further attacks. Most critically, the /adb/enable endpoint allows an attacker to start Android Debug Bridge (adb) over TCP without requiring debugging confirmation, effectively granting shell access to the device remotely. This enables remote code execution (RCE), allowing attackers to execute arbitrary commands, potentially compromising the device and the network it is connected to. The vulnerability arises from improper access control and insecure exposure of administrative interfaces, which are typically expected to be protected by authentication and network segmentation. No CVSS score has been assigned yet, and there are no known exploits in the wild as of the publication date. However, the nature of the vulnerability and the ease of exploitation within the LAN/WLAN environment make it a severe security risk.

For European organizations, especially those relying on Flock Safety surveillance devices for security and monitoring, this vulnerability poses significant risks. The ability to remotely reboot devices can disrupt critical surveillance operations, potentially creating blind spots in security coverage. Information disclosure via logs can leak sensitive operational data or configuration details, facilitating further targeted attacks. The most severe impact is the potential for remote code execution through adb over TCP, which could allow attackers to gain persistent control over the devices, manipulate camera feeds, or pivot to other parts of the network. This could compromise physical security, violate privacy regulations such as GDPR due to unauthorized data access, and damage organizational reputation. Organizations in sectors like law enforcement, critical infrastructure, transportation, and urban security that deploy these devices are particularly vulnerable. The threat is exacerbated in environments where network segmentation is weak or where devices are accessible over WLAN or LAN without strict access controls. Given the administrative API is exposed without authentication, even relatively unsophisticated attackers with local network access can exploit this vulnerability, increasing the risk profile for European entities.

Immediate mitigation should focus on network-level controls to restrict access to port 8080 on the affected devices. Organizations should implement strict network segmentation, ensuring that only authorized management stations can reach these endpoints. Deploy firewall rules or VLAN segmentation to isolate the devices from general user networks and guest WLANs. If possible, disable or block access to the administrative API endpoints until a vendor patch is available. Monitor network traffic for unusual activity targeting port 8080 or attempts to access the /adb/enable endpoint. Organizations should engage with Flock Safety to obtain patches or updated versions of the Android Collins application that enforce authentication on these endpoints. In the interim, consider deploying host-based intrusion detection systems (HIDS) on management workstations to detect suspicious adb connections. Additionally, enforce strong physical security controls to prevent unauthorized local network access. Regularly audit device configurations and logs to detect signs of exploitation. Finally, educate network administrators and security teams about this vulnerability to ensure rapid response if exploitation attempts are detected.