CVE-2025-7075 is a vulnerability identified in the BlackVue Dashcam 590X device, specifically affecting versions up to 20250624. The vulnerability resides in the HTTP endpoint component, particularly in the /upload.cgi file. It allows an attacker to perform an unrestricted upload of files to the device. This means that an attacker can upload arbitrary files without proper validation or authentication controls. The attack vector requires the attacker to be within the local network, as remote exploitation over the internet is not indicated. The vulnerability has been publicly disclosed, and although the vendor was notified early, no response or patch has been provided. The CVSS 4.0 base score is 5.3, categorized as medium severity, with the vector indicating low attack complexity, no privileges or user interaction required, and partial impacts on confidentiality, integrity, and availability. The unrestricted upload could allow an attacker to upload malicious files, potentially leading to unauthorized code execution, device compromise, or persistent backdoors within the dashcam. Since dashcams often have access to vehicle data and potentially network connectivity, exploitation could lead to privacy breaches or be a foothold for lateral movement within a local network.

For European organizations, the impact of this vulnerability depends on the deployment context of the BlackVue Dashcam 590X. Organizations using these dashcams in fleet vehicles, corporate cars, or logistics could face risks including unauthorized access to recorded video footage, manipulation or deletion of evidence, and potential compromise of the device as a pivot point within the local network. The unrestricted upload could be leveraged to implant malware or backdoors, threatening confidentiality and integrity of data. Although exploitation requires local network access, in environments where dashcams connect to corporate Wi-Fi or internal vehicle networks, attackers could exploit this vulnerability to escalate attacks. Privacy regulations such as GDPR increase the stakes, as unauthorized access or leakage of video data could result in regulatory penalties. The lack of vendor response and patch availability increases the risk exposure duration. However, the medium CVSS score and local network requirement somewhat limit the scope compared to internet-exposed vulnerabilities.

1. Network Segmentation: Isolate dashcam devices on a separate VLAN or network segment with strict access controls to limit local network exposure. 2. Access Control: Restrict access to the dashcam’s management interfaces and HTTP endpoints to authorized personnel and devices only. 3. Monitoring: Implement network monitoring to detect unusual upload activity or unauthorized access attempts targeting /upload.cgi. 4. Device Hardening: Disable or restrict unnecessary services on the dashcam if possible, and change default credentials to strong, unique passwords. 5. Physical Security: Ensure physical access to the dashcam and vehicle network is controlled to prevent attackers from connecting to the local network. 6. Vendor Engagement: Continuously monitor for vendor updates or patches and apply them promptly once available. 7. Incident Response: Prepare to isolate affected devices and conduct forensic analysis if exploitation is suspected. 8. Alternative Solutions: Consider using dashcam models with better security track records or that have received patches for this vulnerability.