CVE-2025-59403

The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/
https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf
https://www.flocksafety.com/products
https://www.flocksafety.com/products/license-plate-readers

Configurations

No configuration.

History

02 Oct 2025, 20:15

Type	Values Removed	Values Added
CWE		CWE-400
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

02 Oct 2025, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-02 17:16

Updated : 2025-10-02 20:15

NVD link : CVE-2025-59403

Mitre link : CVE-2025-59403

CVE.ORG link : CVE-2025-59403

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

6.5 /10