CVE-2025-59403
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-02

Last updated on: 2025-11-24

Assigner: MITRE

Description
The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-02
Last Modified
2025-11-24
Generated
2026-06-16
AI Q&A
2025-10-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59403
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flocksafety flock_safety 6.35.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Flock Safety Android Collins application version 6.35.31, which manages camera feeds on certain devices. The app exposes administrative API endpoints on port 8080 without requiring authentication. These endpoints include actions like rebooting the device, accessing logs, and enabling adb over the network. Because there is no authentication, an attacker on the local network can exploit these endpoints to cause denial of service, disclose sensitive information, or gain remote code execution by starting adb over TCP without confirmation, effectively giving shell access.

Impact Analysis

The vulnerability can lead to multiple impacts: denial of service by rebooting the device remotely, information disclosure through access to logs, and remote code execution by enabling adb over TCP without user confirmation. This allows an attacker on the local network to gain shell access to the device, potentially compromising the device and its data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59403. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart