CVE-2025-59406 identifies a security vulnerability in the Flock Safety Pisco Android application version 6.21.11, which is deployed on specialized hardware devices including Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices. The core issue is the inclusion of a cleartext Auth0 client secret embedded directly within the application’s codebase. Auth0 client secrets are sensitive credentials used in OAuth authentication flows to securely identify and authorize client applications. Embedding such secrets in client-side software is a critical security misconfiguration because application binaries can be easily decompiled or reverse-engineered by attackers without requiring special privileges or elevated access. Once extracted, this client secret can be used by an attacker to impersonate the legitimate application in OAuth transactions, potentially allowing unauthorized access to backend services or APIs protected by Auth0. This undermines the confidentiality and integrity of the authentication process and may lead to unauthorized data access or manipulation. The vulnerability affects a niche set of devices used for license plate recognition and AI edge computing, which are typically deployed in physical security and surveillance contexts. Although no known exploits have been reported in the wild as of the publication date, the ease of secret extraction makes this a significant risk if attackers target these devices or their associated backend systems. The absence of a CVSS score indicates that the vulnerability has not yet been fully assessed for severity, but the technical details clearly demonstrate a high-risk exposure due to the nature of the secret and the attack vector.

For European organizations, particularly those involved in law enforcement, private security, urban surveillance, or smart city initiatives that utilize Flock Safety’s license plate readers and AI compute devices, this vulnerability poses a substantial risk. Unauthorized access enabled by the leaked Auth0 client secret could allow attackers to bypass authentication controls, potentially gaining access to sensitive vehicle tracking data, surveillance footage, or control over device functionality. This could lead to privacy violations, data breaches involving personally identifiable information (PII), and disruption of security operations. Moreover, compromised devices could be used as pivot points for lateral movement within organizational networks, increasing the risk of broader cyberattacks. Given the increasing regulatory scrutiny in Europe around data protection (e.g., GDPR), any breach involving surveillance data could result in significant legal and financial consequences. The impact is amplified in environments where these devices are integrated into critical infrastructure or public safety systems, where availability and integrity are paramount.

To mitigate this vulnerability, organizations should first verify if they are using the affected version (6.21.11) of the Flock Safety Pisco Android application on their devices. Immediate steps include: 1) Requesting or applying an updated version of the application from the vendor that removes the embedded client secret and implements secure secret management practices, such as using backend token exchange mechanisms or secure vaults rather than embedding secrets in client code. 2) Rotating the compromised Auth0 client secret immediately to invalidate any extracted credentials and prevent unauthorized use. 3) Implementing network-level controls to restrict access to backend APIs only to trusted devices and IP addresses, adding an additional layer of defense. 4) Monitoring authentication logs for suspicious OAuth client activity that could indicate misuse of the leaked secret. 5) Employing runtime application self-protection (RASP) or application shielding techniques to make reverse engineering more difficult. 6) Conducting regular security audits and penetration tests focused on device firmware and application binaries to detect similar issues proactively. These steps go beyond generic advice by focusing on secret rotation, vendor coordination, and layered defense tailored to the affected device ecosystem.