Advisory Details

March 25th, 2025

(0Day) CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability

ZDI-25-178
ZDI-CAN-24355

CVE ID CVE-2025-2764
CVSS SCORE 8.0, AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AFFECTED VENDORS CarlinKit
AFFECTED PRODUCTS CPC200-CCPA
VULNERABILITY DETAILS

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of CarlinKit CPC200-CCPA devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the handling of update packages provided to update.cgi. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to execute code in the context of root.

ADDITIONAL DETAILS

06/05/24 – ZDI contacted the vendor’s support team via email
07/12/24 – ZDI sent a second PSIRT contact request to CarlinKit support team
11/13/24 – ZDI asked for updates
02/18/25 – ZDI informed the vendor that since we have not received a response, we will publish the report as a 0-day advisory


DISCLOSURE TIMELINE
  • 2025-03-11 - Vulnerability reported to vendor
  • 2025-03-25 - Coordinated public release of advisory
  • 2025-03-25 - Advisory Updated
CREDIT Aaron Luo and Spencer Hsieh of VicOne
BACK TO ADVISORIES