Louis: fixed server logs -> referral urls per source, moved nvd ref to correct claim

2026-03-29T04:20:35Z

fixed server logs -> referral urls per source, moved nvd ref to correct claim

← Older revision		Revision as of 04:20, 29 March 2026
Line 56:		Line 56:
	=== Hardcoded secrets in mobile app (CVE-2025-2355) ===		=== Hardcoded secrets in mobile app (CVE-2025-2355) ===

	The BlackVue v3.65 APK contains hardcoded BCS_TOKEN & SECRET_KEY values in plaintext.<ref name="geochen" /> These client secrets are transmitted via GET parameters, which means they appear in browser history, server logs, & corporate proxy logs.<ref name="geochen" /> Anyone with access to these logs can extract the tokens.<ref name="nvd-2355">{{Cite web \|url=https://nvd.nist.gov/vuln/detail/CVE-2025-2355 \|title=CVE-2025-2355 Detail \|website=National Vulnerability Database \|access-date=2026-03-28}}</ref>		The BlackVue v3.65 APK contains hardcoded BCS_TOKEN & SECRET_KEY values in plaintext.<ref name="nvd-2355">{{Cite web \|url=https://nvd.nist.gov/vuln/detail/CVE-2025-2355 \|title=CVE-2025-2355 Detail \|website=National Vulnerability Database \|access-date=2026-03-28}}</ref> These client secrets are transmitted via GET parameters, which means they appear in browser history, referral URLs, & proxy logs.<ref name="geochen" />

	=== Unauthorized API calls (CVE-2025-2356) ===		=== Unauthorized API calls (CVE-2025-2356) ===

Louis: new incident page for 7 firmware cves across dr750 and dr590x. two critical (9.8), dr750 unpatched since 2022. all sourced from nvd and github pocs.

2026-03-29T04:13:42Z

new incident page for 7 firmware cves across dr750 and dr590x. two critical (9.8), dr750 unpatched since 2022. all sourced from nvd and github pocs.

New page

{{#seo:
|description=Seven CVEs across BlackVue DR750 and DR590X dashcams allow remote firmware backdooring, unauthenticated access to recordings, and hardcoded API secrets. DR750 unpatched since 2022.
}}
{{IncidentCargo
|Company=BlackVue
|StartDate=2022-07-30
|EndDate=
|Status=Active
|ProductLine=
|Product=
|ArticleType=Product
|Type=Privacy,Repairability
|Description=Seven CVEs across DR750 & DR590X allow firmware backdooring, unauthenticated recording access, & hardcoded API secrets; DR750 unpatched since 2022
}}

'''BlackVue firmware security vulnerabilities''' are a set of 7 CVEs across 2 [[BlackVue]] dashcam models that allow attackers to upload backdoored firmware, access live video feeds & stored recordings without authentication, and exploit hardcoded API secrets embedded in plaintext in BlackVue's mobile app.<ref name="eyjhb">{{Cite web |url=https://github.com/eyJhb/blackvue-cve-2023 |title=BlackVue CVE-2023 - Security Vulnerabilities in BlackVue DR750 |author=eyJhb |date=2023 |website=GitHub |access-date=2026-03-28}}</ref><ref name="geochen">{{Cite web |url=https://github.com/geo-chen/BlackVue |title=BlackVue Dashcam 590X Security Vulnerabilities |author=Geo Chen |date=2025-02-25 |website=GitHub |access-date=2026-03-28}}</ref> The first 3 CVEs affecting the DR750 were reported to BlackVue on July 30, 2022.<ref name="eyjhb" /> As of 2026, BlackVue has not patched the DR750 vulnerabilities, leaving roughly 300 internet-connected devices exposed.<ref name="eyjhb" />

== Background ==

BlackVue manufactures cloud-connected dashcams that provide remote access to live feeds, GPS tracking, & stored recordings through WiFi & cellular (LTE) connections. The DR750-2CH LTE model connects directly to the internet via its built-in LTE modem, making its services reachable without requiring proximity to the vehicle's WiFi network.<ref name="eyjhb" />

Two independent security researchers audited BlackVue dashcams roughly 2.5 years apart. The first researcher (eyJhb) reported 3 vulnerabilities in the DR750 in July 2022. The second researcher (Geo Chen) disclosed 4 vulnerabilities in the DR590X in February 2025.<ref name="eyjhb" /><ref name="geochen" />

== DR750 vulnerabilities (CVE-2023-27746, CVE-2023-27747, CVE-2023-27748) ==

The DR750-2CH LTE running firmware v1.012-eng contained 3 critical-to-high severity vulnerabilities that, chained together, allow full remote compromise of the device.<ref name="eyjhb" />

=== Weak default WiFi passphrase (CVE-2023-27746) ===

The DR750's default WiFi password uses only lowercase alphanumeric characters with a length of 8.<ref name="eyjhb" /> This character set produces a keyspace small enough to brute-force from a captured WiFi handshake. The researcher estimated the password could be cracked in roughly 4 days using rented cloud hardware costing approximately 40 EUR.<ref name="eyjhb" /> The NVD assigned this vulnerability a CVSS score of 9.8 (Critical).<ref name="nvd-27746">{{Cite web |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27746 |title=CVE-2023-27746 Detail |website=National Vulnerability Database |access-date=2026-03-28}}</ref>

=== Unauthenticated web server (CVE-2023-27747) ===

A built-in web server on the DR750 exposes live video feeds, position & speed telemetry, stored recordings, & device configuration downloads without any authentication.<ref name="eyjhb" /> Anyone on the same network (or anyone on the internet for LTE-connected models) can access these endpoints.<ref name="eyjhb" /> The configuration download includes encrypted WiFi credentials.<ref name="eyjhb" /> The NVD assigned a CVSS score of 7.5 (High).<ref name="nvd-27747">{{Cite web |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27747 |title=CVE-2023-27747 Detail |website=National Vulnerability Database |access-date=2026-03-28}}</ref>

=== Unauthenticated firmware upload (CVE-2023-27748) ===

Port 9771/TCP on the DR750 hosts a FOTA (firmware over-the-air) service with no authentication & no firmware authenticity check.<ref name="eyjhb" /> An attacker can upload custom firmware containing a backdoor.<ref name="eyjhb" /> The dashcam has no firewall, so on LTE models this port is reachable from the public internet.<ref name="eyjhb" /> Custom firmware persists even after a user reinstalls the official firmware, giving the attacker persistent root access to the device.<ref name="eyjhb" /> The NVD assigned a CVSS score of 9.8 (Critical).<ref name="nvd-27748">{{Cite web |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27748 |title=CVE-2023-27748 Detail |website=National Vulnerability Database |access-date=2026-03-28}}</ref>

=== BlackVue's response ===

BlackVue acknowledged it would investigate but has not released a patch.<ref name="eyjhb" /> At the time of disclosure, approximately 300 vulnerable DR750 devices were identified as publicly accessible on the internet.<ref name="eyjhb" />

== DR590X vulnerabilities (CVE-2025-7075, CVE-2025-7076, CVE-2025-2355, CVE-2025-2356) ==

Security researcher Geo Chen disclosed 4 vulnerabilities in the BlackVue DR590X dashcam & its companion mobile app on February 25, 2025.<ref name="geochen" />

=== Unauthenticated file upload (CVE-2025-7075) ===

The DR590X exposes an <code>/upload.cgi</code> endpoint at <code>http://10.99.77.1/upload.cgi</code> with no authentication. Any device on the dashcam's WiFi network can upload arbitrary files, including malware, to the dashcam.<ref name="geochen" /> The NVD assigned a CVSS score of 8.8 (High).<ref name="nvd-7075">{{Cite web |url=https://nvd.nist.gov/vuln/detail/CVE-2025-7075 |title=CVE-2025-7075 Detail |website=National Vulnerability Database |access-date=2026-03-28}}</ref>

=== Unauthenticated configuration modification (CVE-2025-7076) ===

Through the same upload mechanism, an attacker can modify the dashcam's configuration file without authentication. This allows disabling battery protection on the dashcam, which can drain the vehicle's battery.<ref name="geochen" /> The NVD assigned a CVSS score of 8.8 (High).<ref name="nvd-7076">{{Cite web |url=https://nvd.nist.gov/vuln/detail/CVE-2025-7076 |title=CVE-2025-7076 Detail |website=National Vulnerability Database |access-date=2026-03-28}}</ref>

=== Hardcoded secrets in mobile app (CVE-2025-2355) ===

The BlackVue v3.65 APK contains hardcoded BCS_TOKEN & SECRET_KEY values in plaintext.<ref name="geochen" /> These client secrets are transmitted via GET parameters, which means they appear in browser history, server logs, & corporate proxy logs.<ref name="geochen" /> Anyone with access to these logs can extract the tokens.<ref name="nvd-2355">{{Cite web |url=https://nvd.nist.gov/vuln/detail/CVE-2025-2355 |title=CVE-2025-2355 Detail |website=National Vulnerability Database |access-date=2026-03-28}}</ref>

=== Unauthorized API calls (CVE-2025-2356) ===

Using tokens extracted from the APK or intercepted from GET parameters, an attacker can make API calls to delete devices from a user's account & modify device settings without authorization.<ref name="geochen" /> The userToken is transmitted via GET parameters rather than POST request bodies or authorization headers, exposing it to the same logging & interception risks as the hardcoded secrets.<ref name="geochen" /><ref name="nvd-2356">{{Cite web |url=https://nvd.nist.gov/vuln/detail/CVE-2025-2356 |title=CVE-2025-2356 Detail |website=National Vulnerability Database |access-date=2026-03-28}}</ref>

=== Disclosure timeline ===

Geo Chen reported the DR590X vulnerabilities to BlackVue on February 25, 2025. BlackVue acknowledged the report on February 26, 2025, & accepted the findings on March 5, 2025. CVEs were published on March 16, 2025.<ref name="geochen" />

== Consumer impact ==

Both sets of vulnerabilities expose dashcam owners to [[surveillance]] & vehicle tampering risks that cannot be mitigated through software settings.<ref name="eyjhb" /><ref name="geochen" /> The DR750's LTE connectivity means the firmware upload vulnerability (CVE-2023-27748) is exploitable remotely without physical proximity to the vehicle.<ref name="eyjhb" /> A compromised dashcam can serve as a persistent surveillance device, streaming live video, audio, & GPS location data to an attacker.<ref name="eyjhb" />

The DR590X's battery protection bypass (CVE-2025-7076) introduces a physical consequence: an attacker within WiFi range can disable the dashcam's voltage cutoff, causing it to drain the vehicle's 12V battery.<ref name="geochen" /> The hardcoded API secrets (CVE-2025-2355) & unauthorized API access (CVE-2025-2356) extend the attack surface beyond the local network to BlackVue's cloud infrastructure, allowing remote account & device manipulation.<ref name="geochen" />

The DR750 vulnerabilities remain unpatched more than 3 years after the initial report to the vendor.<ref name="eyjhb" /> BlackVue accepted the DR590X findings on March 5, 2025, but as of the CVE publication date had not announced fixes for those vulnerabilities either.<ref name="geochen" />

== See also ==

* [[BlackVue]]
* [[IoT device security]]
* [[Right to Repair]]

== References ==

{{reflist}}

[[Category:BlackVue]]
[[Category:Privacy]]
[[Category:IoT]]

BlackVue firmware security vulnerabilities - Revision history

Louis: fixed server logs -> referral urls per source, moved nvd ref to correct claim

Louis: new incident page for 7 firmware cves across dr750 and dr590x. two critical (9.8), dr750 unpatched since 2022. all sourced from nvd and github pocs.