CVE-2025-65397 Overview
An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges. The vulnerability can be triggered when the file /opt/images/public_key.der is not present in the file system, by providing a maliciously crafted auth.ini file on the device's SD card.
Critical Impact
An attacker with physical access can achieve complete device compromise with root-level command execution on affected Blurams Flare Camera devices.
Affected Products
- Blurams Flare Camera version 24.1114.151.929 and earlier
Discovery Timeline
- 2026-01-14 - CVE-2025-65397 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-65397
Vulnerability Analysis
This firmware vulnerability exists in the Blurams Flare Camera's startup initialization process. The safe_exec.sh script implements an insecure authentication mechanism that fails to properly validate authentication parameters when a specific cryptographic key file is absent from the system. The flaw is categorized under CWE-20 (Improper Input Validation), indicating that the script does not adequately sanitize or validate input from external sources before processing it with elevated privileges.
The vulnerability requires physical access to the target device, limiting remote exploitation. However, once an attacker has physical access, the impact is severe—complete compromise of the device with root-level command execution capabilities. This allows full control over the camera's functionality, including potential access to video feeds, network credentials, and the ability to use the device as a pivot point for further attacks.
Root Cause
The root cause lies in improper input validation within the safe_exec.sh startup script. The script appears to implement a fallback authentication mechanism that becomes active when the /opt/images/public_key.der file is missing from the filesystem. In this degraded state, the script processes authentication parameters from the SD card's auth.ini file without proper sanitization. This allows specially crafted input to be interpreted as commands rather than configuration data, resulting in arbitrary command execution with the script's root privileges.
Attack Vector
The attack requires physical access to the vulnerable Blurams Flare Camera device. An attacker must:
- Prepare a malicious auth.ini configuration file containing crafted command injection payloads
- Insert an SD card containing the malicious auth.ini file into the target camera
- Ensure the /opt/images/public_key.der file is either missing or has been removed from the device
- Trigger the device startup sequence (e.g., by power cycling the camera)
When the safe_exec.sh script executes during boot, it parses the attacker-controlled auth.ini file without proper validation. The malicious payload is then executed with root privileges, giving the attacker complete control over the device. For detailed technical information on exploitation mechanics, refer to the LessonSec CVE-2025-65397 advisory.
Detection Methods for CVE-2025-65397
Indicators of Compromise
- Presence of unexpected or modified auth.ini files on SD cards inserted into Blurams Flare Camera devices
- Missing or deleted /opt/images/public_key.der file on the device filesystem
- Unusual processes or network connections originating from the camera device
- Evidence of unauthorized SD card insertion or device tampering
Detection Strategies
- Monitor for physical access attempts to IoT camera devices in sensitive locations
- Implement file integrity monitoring on critical system files including /opt/images/public_key.der
- Deploy network behavior analysis to detect anomalous traffic patterns from camera devices
- Review device logs for unexpected startup sequences or boot-time errors
Monitoring Recommendations
- Establish baseline network behavior for all Blurams Flare Camera devices and alert on deviations
- Implement physical security controls and tamper-evident measures for deployed cameras
- Configure centralized logging for all IoT devices where supported
- Conduct periodic physical inspections of camera devices for signs of tampering or unauthorized SD card insertion
How to Mitigate CVE-2025-65397
Immediate Actions Required
- Verify the presence of /opt/images/public_key.der on all deployed Blurams Flare Camera devices
- Remove or disable SD card slots on cameras in high-security environments where feasible
- Implement physical access controls to prevent unauthorized tampering with camera devices
- Monitor the Blurams official website for firmware updates addressing this vulnerability
Patch Information
At the time of this publication, no official patch information is available from the vendor. Organizations should monitor official Blurams channels for firmware updates addressing CVE-2025-65397. Contact Blurams support directly for guidance on remediation timelines and interim security measures.
Workarounds
- Ensure the /opt/images/public_key.der file exists and has proper permissions on all affected devices to prevent the vulnerable code path from being triggered
- Physically secure all Blurams Flare Camera devices to prevent unauthorized physical access
- Consider network segmentation to isolate IoT camera devices from sensitive network segments
- Disable or physically block SD card slots if the functionality is not required for operations
- Implement monitoring for unauthorized physical access to camera installation locations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
