CVE-2025-7075

A vulnerability was found in BlackVue Dashcam 590X up to 20250624. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /upload.cgi of the component HTTP Endpoint. The manipulation leads to unrestricted upload. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 6.3 MEDIUM
CVSS v2.0 5.8 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:A/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 6.5 / Impact : 6.4

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/geo-chen/BlackVue/blob/main/README.md#finding-1-unauthenticated-upload-endpoint-on-http	Exploit Third Party Advisory
https://vuldb.com/?ctiid.314989	Permissions Required VDB Entry
https://vuldb.com/?id.314989	Third Party Advisory VDB Entry
https://vuldb.com/?submit.603301	Third Party Advisory VDB Entry
https://github.com/geo-chen/BlackVue/blob/main/README.md#finding-1-unauthenticated-upload-endpoint-on-http	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:blackvuenorthamerica:blackvue_dr590x_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:blackvuenorthamerica:blackvue_dr590x:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-07-06 00:15

Updated : 2025-10-01 19:09

NVD link : CVE-2025-7075

Mitre link : CVE-2025-7075

CVE.ORG link : CVE-2025-7075

JSON object : View

Products Affected

blackvuenorthamerica

blackvue_dr590x
blackvue_dr590x_firmware

CWE

CWE-284

Improper Access Control

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2025-7075", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-06T00:15:22.177", "references": [{"url": "https://github.com/geo-chen/BlackVue/blob/main/README.md#finding-1-unauthenticated-upload-endpoint-on-http", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.314989", "tags": ["Permissions Required", "VDB Entry"], "source": "[email protected]"}, {"url": "https://vuldb.com/?id.314989", "tags": ["Third Party Advisory", "VDB Entry"], "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.603301", "tags": ["Third Party Advisory", "VDB Entry"], "source": "[email protected]"}, {"url": "https://github.com/geo-chen/BlackVue/blob/main/README.md#finding-1-unauthenticated-upload-endpoint-on-http", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in BlackVue Dashcam 590X up to 20250624. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /upload.cgi of the component HTTP Endpoint. The manipulation leads to unrestricted upload. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad en BlackVue Dashcam 590X hasta la versi\u00f3n 20250624. Se ha declarado cr\u00edtica. Esta vulnerabilidad afecta a una funcionalidad desconocida del archivo /upload.cgi del componente HTTP Endpoint. La manipulaci\u00f3n permite una carga sin restricciones. El ataque debe realizarse dentro de la red local. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. Se contact\u00f3 al proveedor con antelaci\u00f3n para informarle sobre esta vulnerabilidad, pero no respondi\u00f3."}], "lastModified": "2025-10-01T19:09:13.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:blackvuenorthamerica:blackvue_dr590x_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BCE5D35-0B9F-4357-B131-D70EFBBFCBA9", "versionEndIncluding": "2025-06-24"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:blackvuenorthamerica:blackvue_dr590x:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DF588942-69A8-4839-A64D-2651B8C3B960"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}