SB2025032618 - Multiple vulnerabilities in CarlinKit CPC200-CCPA

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Missing Immutable Root of Trust in Hardware (CVE-ID: CVE-2025-2762)

The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to lack of a properly configured hardware root of trust within the configuration of the application system-on-chip (SoC). A local user can execute arbitrary code on the system with elevated privileges.

2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2025-2763)

The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to the lack of proper verification of a cryptographic signature within the handling of update packages on USB drives. An attacker with physical access can execute arbitrary code on the system.

3) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2025-2764)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the lack of proper verification of a cryptographic signature within the handling of update packages provided to update.cgi. A remote user on the local network can execute arbitrary code on the system.

4) Use of hard-coded credentials (CVE-ID: CVE-2025-2765)

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials within the configuration of the wireless hotspot. A remote attacker on the local network can access the affected system using the hard-coded credentials.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://www.zerodayinitiative.com/advisories/ZDI-25-176/
• https://www.zerodayinitiative.com/advisories/ZDI-25-179/
• https://www.zerodayinitiative.com/advisories/ZDI-25-178/
• https://www.zerodayinitiative.com/advisories/ZDI-25-177/