CVE-2025-65397: An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24....
An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file system. The vulnerability can be triggered by providing a maliciously crafted auth.ini file on the device's SD card.
Security readout for executives and security teams
Plain-English summary
CVE-2025-65397 affects Blurams Flare Camera firmware version 24.1114.151.929 and earlier. With physical access and a prepared SD card, an attacker may cause startup logic to run arbitrary commands as root when a specific public key file is missing. This is serious for exposed or shared-location devices, but it is not remotely exploitable based on the provided sources.
Executive priority
Treat this as a targeted physical-access risk, not an internet-scale emergency. Prioritize locations where cameras are reachable by untrusted people, then seek vendor guidance for update or replacement decisions.
Technical view
The issue is an insecure authentication mechanism in safe_exec.sh, mapped to CWE-20 and CWE-287. The trigger condition requires physical access, an SD card containing a crafted auth.ini file, and absence of /opt/images/public_key.der. CVSS 3.1 is 6.8 with AV:P and high confidentiality, integrity, and availability impact.
Likely exposure
Exposure is likely limited to Blurams Flare Camera devices running version 24.1114.151.929 or earlier, especially cameras in public, semi-public, or tenant-accessible locations. The structured affected-product fields in the bundle are incomplete, so asset owners should validate model and firmware directly.
Exploitation context
The provided CVE data does not indicate active exploitation, and KEV is false. Exploitation requires physical device access and an SD card interaction, so risk depends heavily on attacker proximity, camera placement, and tamper controls.
Researcher notes
The source bundle names the product and version in the description, but structured affected fields are marked n/a. No official patch, workaround, advisory detail, or exploitation evidence is provided beyond the CVE reference and LessonSec page.
Mitigation direction
Check Blurams or device vendor guidance for firmware updates or official mitigations.
Restrict physical access to deployed cameras and SD card slots.
Prioritize remediation for cameras in public or shared environments.
Review device configuration and firmware version during normal maintenance windows.
Do not rely on undocumented file changes without vendor confirmation.
Validation and detection
Inventory Blurams Flare Camera devices and record firmware versions.
Confirm whether devices run version 24.1114.151.929 or earlier.
Assess whether SD card slots are physically accessible.
Review devices for unexpected SD card contents or auth.ini files.
Check whether /opt/images/public_key.der exists without modifying device state.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-20: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
2Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.