ZDI-25-179: (0Day) CarlinKit CPC200-CCPA Improper Verification of Cryptographic Signature Code Execution Vulnerability
First published: Tue Mar 25 2025(Updated: )
This vulnerability allows physically present attackers to execute arbitrary code on affected installations of CarlinKit CPC200-CCPA devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of update packages on USB drives. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to execute code in the context of root.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CarlinKit CPC200-CCPA | ||
| CarlinKit CPC200-CCPA |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of ZDI-25-179?
The severity of ZDI-25-179 is rated at 6.8 according to the CVSS.
How do I fix ZDI-25-179?
To fix ZDI-25-179, update the CarlinKit CPC200-CCPA device to the latest firmware version provided by the vendor.
What type of attack is associated with ZDI-25-179?
ZDI-25-179 allows physically present attackers to execute arbitrary code on the affected devices.
Is authentication needed to exploit ZDI-25-179?
No, authentication is not required to exploit ZDI-25-179.
Which devices are affected by ZDI-25-179?
ZDI-25-179 affects the CarlinKit CPC200-CCPA devices.
- collector/zdi-published
- source/ZDI
- alias/ZDI-CAN-24356
- agent/title
- agent/last-modified-date
- agent/source
- agent/type
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- collector/zdi-advisory
- alias/ZDI-25-179
- alias/CVE-2025-2763
- agent/references
- agent/severity
- agent/softwarecombine
- agent/description
- agent/tags
- agent/event
- vendor/carlinkit
- canonical/carlinkit cpc200-ccpa