CVE-2025-59407 describes a vulnerability in the Flock Safety DetectionProcessing application version 6.35.33 for Android, which is deployed on Falcon and Sparrow License Plate Readers as well as Bravo Edge AI Compute Devices. The vulnerability arises because the application bundles a Java Keystore file named flock_rye.bks within its codebase, and critically, this keystore is protected by a hardcoded password ('flockhibiki17'). The keystore contains a private key, which if extracted by an attacker, could be used to compromise the confidentiality and integrity of communications or data protected by this key. Hardcoding cryptographic material and passwords in application code is a significant security flaw because it allows attackers who gain access to the application binary or firmware to retrieve sensitive cryptographic keys without needing to bypass additional authentication or security controls. This exposure can lead to unauthorized decryption of sensitive data, impersonation of legitimate devices, or signing of malicious data that appears authentic. The affected devices—license plate readers and edge AI compute devices—are typically used for surveillance, law enforcement, or security monitoring, making the confidentiality and integrity of their data critical. No CVSS score has been assigned yet, and no known exploits are reported in the wild at the time of publication. However, the presence of a hardcoded private key with a known password represents a high-risk vulnerability due to the ease of exploitation once the application is obtained and the potential impact on sensitive data and device trustworthiness.

For European organizations, especially those involved in public safety, law enforcement, or private security sectors using Flock Safety devices, this vulnerability poses a significant risk. Compromise of the private key could allow attackers to decrypt sensitive license plate data, manipulate or spoof device data, or intercept communications between devices and backend systems. This could lead to unauthorized tracking, privacy violations, and undermining of security operations. Given the sensitive nature of license plate reader data, exposure could also have legal and regulatory consequences under GDPR and other privacy laws. Additionally, manipulation of edge AI compute devices could disrupt automated security processes or cause false positives/negatives in threat detection, reducing operational effectiveness. The lack of authentication barriers to extract the key increases the risk of insider threats or attackers who gain physical or remote access to the device firmware or application binaries.

Immediate mitigation should include the following steps: 1) Update or patch the Flock Safety DetectionProcessing application to a version that removes the hardcoded keystore and password, replacing it with a secure key management system that does not embed private keys in code. 2) If a patch is not yet available, restrict access to devices and application binaries to trusted personnel only and monitor for unauthorized access attempts. 3) Rotate any cryptographic keys associated with the compromised keystore to invalidate the exposed private key. 4) Implement network-level protections such as encryption and authentication for communications involving these devices to reduce the impact of key compromise. 5) Conduct audits of device firmware and application code to detect similar insecure key management practices. 6) Educate staff on the risks of hardcoded credentials and enforce secure coding practices for cryptographic material. 7) Monitor for suspicious activity that could indicate exploitation attempts, including anomalous device behavior or unexpected data access patterns.