CVE-2025-6529 Overview
CVE-2025-6529 affects the 70mai M300 dashcam through firmware version 20250611. The vulnerability resides in the device's Telnet service, which ships with default credentials [CWE-1392]. An attacker on the adjacent network can authenticate using these known credentials and gain unauthorized access to the device. The exploit details have been disclosed publicly, and the vendor did not respond to disclosure attempts. Researcher findings indicate the access enables remote file upload and code execution on the device.
Critical Impact
Attackers within the local network can authenticate to the 70mai M300 Telnet service using default credentials, gaining administrative access that enables arbitrary file upload and code execution.
Affected Products
- 70mai M300 dashcam hardware
- 70mai M300 firmware versions up to and including 20250611
- Devices exposing the Telnet service on the local network
Discovery Timeline
- 2025-06-23 - CVE-2025-6529 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-6529
Vulnerability Analysis
The 70mai M300 firmware exposes a Telnet service that accepts authentication using default, hardcoded credentials. This issue is classified as a Use of Default Credentials weakness [CWE-1392]. Telnet transmits credentials and session data in cleartext, which compounds the exposure when the service is reachable on the same Wi-Fi network the dashcam uses. Once authenticated, an attacker obtains shell-level access to the embedded operating system. According to the public research write-up, this access chains with a file upload weakness to achieve remote code execution on the dashcam. The current EPSS probability is 0.51% at the 66.688 percentile.
Root Cause
The vendor shipped the device with a Telnet management interface enabled and configured with credentials known to researchers. The firmware provides no mechanism documented in the advisory to disable Telnet or force credential rotation on first use. Embedded consumer devices commonly retain these debug-style services in production builds, which is the underlying design flaw.
Attack Vector
Exploitation requires adjacency to the device, typically the same wireless network the dashcam connects to or its own access point. The attacker initiates a TCP connection to the Telnet port and submits the default credential pair. Successful authentication yields an interactive shell. From this shell, the attacker can upload binaries, modify firmware components, persist on the device, or pivot to recorded video data. The full technical chain is documented in the GitHub Malicious File Upload PoC and the corresponding VulDB entry #313646.
Detection Methods for CVE-2025-6529
Indicators of Compromise
- Unexpected inbound TCP connections to port 23 on 70mai M300 devices from local network hosts
- New or modified files in writable firmware partitions on the device
- Outbound traffic from the dashcam to unknown destinations after a Wi-Fi association event
- Shell process activity initiated by the Telnet daemon outside of vendor maintenance windows
Detection Strategies
- Run periodic network scans of guest and IoT VLANs to enumerate devices listening on TCP port 23
- Capture and inspect Telnet authentication strings, since the protocol transmits credentials in cleartext
- Correlate dashcam network telemetry with default credential authentication patterns in IoT-aware identification tooling
Monitoring Recommendations
- Forward wireless controller and router logs to a centralized analytics platform for anomaly review
- Alert on any successful Telnet session originating from or terminating at automotive IoT device MAC addresses
- Track firmware version reporting from the 70mai mobile companion app to confirm devices remain on vulnerable builds
How to Mitigate CVE-2025-6529
Immediate Actions Required
- Isolate 70mai M300 devices on a dedicated VLAN or SSID that blocks lateral traffic from untrusted clients
- Block inbound TCP port 23 at the wireless gateway to prevent Telnet reachability from other LAN clients
- Power off the device when not in active use until the vendor provides a fix
Patch Information
No vendor patch is available. The advisory notes the vendor was contacted but did not respond. Monitor the VulDB record for updates. No CISA KEV listing exists for this CVE.
Workarounds
- Disable the dashcam's Wi-Fi feature when not transferring footage
- Connect the device only to a segmented network with no other trusted hosts present
- Replace the affected hardware with a model that does not expose Telnet in production firmware
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

