Description

The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access.

INFO

Published Date :

2025-10-02T00:00:00.000Z

Last Modified :

2025-10-02T19:43:46.935Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59403 vulnerability.

Vendors Products
Flocksafety
  • Bravo Edge Ai Compute Device
  • Collins
  • Falcon
  • License Plate Reader
Google
  • Android
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59403.

URL Resource
https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/ cve-icon cve-icon
https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf cve-icon cve-icon
https://www.flocksafety.com/products cve-icon cve-icon
https://www.flocksafety.com/products/license-plate-readers cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System