CVE-2025-11943

70mai X200 HTTP Web Server default credentials

CVSS 6.9 MEDIUMEPSS 0.7%CWE-1392

In short

The 70mai X200 dashcam uses default credentials in its web server that cannot be changed, allowing anyone on the network to access and control the device without proper authentication.

Technical detail

The HTTP Web Server component in 70mai X200 (firmware up to 20251010) contains hardcoded default credentials with no option to modify them. An unauthenticated remote attacker can access the web interface and perform unauthorized actions on the device. Public exploits are available and the vendor has not addressed this issue.

Summary generated and translated by AI from the official description.

A vulnerability has been found in 70mai X200 up to 20251010. Affected by this vulnerability is an unknown functionality of the component HTTP Web Server. The manipulation leads to use of default credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Affected products

70mai · X200

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/geo-chen/70mai/blob/main/README.md#finding-10-exposed-root-password-via-unauthenticated-http-server https://vuldb.com/?ctiid.329022 https://vuldb.com/?id.329022 https://vuldb.com/?submit.672521