Skip to main content

CVE-2025-7075: Unrestricted Upload in BlackVue Dashcam 590X

Medium
VulnerabilityCVE-2025-7075cvecve-2025-7075
Published: Sat Jul 05 2025 (07/05/2025, 23:32:05 UTC)
Source: CVE Database V5
Vendor/Project: BlackVue
Product: Dashcam 590X

Description

A vulnerability was found in BlackVue Dashcam 590X up to 20250624. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /upload.cgi of the component HTTP Endpoint. The manipulation leads to unrestricted upload. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI-Powered Analysis

AILast updated: 07/05/2025, 23:54:34 UTC

Technical Analysis

CVE-2025-7075 is a vulnerability identified in the BlackVue Dashcam 590X device, specifically affecting versions up to 20250624. The vulnerability resides in the HTTP endpoint component, particularly in the /upload.cgi file. It allows an attacker to perform an unrestricted upload of files to the device. This means that an attacker can upload arbitrary files without proper validation or authentication controls. The attack vector requires the attacker to be within the local network, as remote exploitation over the internet is not indicated. The vulnerability has been publicly disclosed, and although the vendor was notified early, no response or patch has been provided. The CVSS 4.0 base score is 5.3, categorized as medium severity, with the vector indicating low attack complexity, no privileges or user interaction required, and partial impacts on confidentiality, integrity, and availability. The unrestricted upload could allow an attacker to upload malicious files, potentially leading to unauthorized code execution, device compromise, or persistent backdoors within the dashcam. Since dashcams often have access to vehicle data and potentially network connectivity, exploitation could lead to privacy breaches or be a foothold for lateral movement within a local network.

Potential Impact

For European organizations, the impact of this vulnerability depends on the deployment context of the BlackVue Dashcam 590X. Organizations using these dashcams in fleet vehicles, corporate cars, or logistics could face risks including unauthorized access to recorded video footage, manipulation or deletion of evidence, and potential compromise of the device as a pivot point within the local network. The unrestricted upload could be leveraged to implant malware or backdoors, threatening confidentiality and integrity of data. Although exploitation requires local network access, in environments where dashcams connect to corporate Wi-Fi or internal vehicle networks, attackers could exploit this vulnerability to escalate attacks. Privacy regulations such as GDPR increase the stakes, as unauthorized access or leakage of video data could result in regulatory penalties. The lack of vendor response and patch availability increases the risk exposure duration. However, the medium CVSS score and local network requirement somewhat limit the scope compared to internet-exposed vulnerabilities.

Mitigation Recommendations

1. Network Segmentation: Isolate dashcam devices on a separate VLAN or network segment with strict access controls to limit local network exposure. 2. Access Control: Restrict access to the dashcam’s management interfaces and HTTP endpoints to authorized personnel and devices only. 3. Monitoring: Implement network monitoring to detect unusual upload activity or unauthorized access attempts targeting /upload.cgi. 4. Device Hardening: Disable or restrict unnecessary services on the dashcam if possible, and change default credentials to strong, unique passwords. 5. Physical Security: Ensure physical access to the dashcam and vehicle network is controlled to prevent attackers from connecting to the local network. 6. Vendor Engagement: Continuously monitor for vendor updates or patches and apply them promptly once available. 7. Incident Response: Prepare to isolate affected devices and conduct forensic analysis if exploitation is suspected. 8. Alternative Solutions: Consider using dashcam models with better security track records or that have received patches for this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-07-05T08:10:13.139Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6869b7ab6f40f0eb72b3cd4c

Added to database: 7/5/2025, 11:39:23 PM

Last enriched: 7/5/2025, 11:54:34 PM

Last updated: 7/6/2025, 12:45:36 AM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats