Vulnerability Details CVE-2025-65855
The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mode (8-second button press), create a malicious WiFi AP using the known credentials, and serve malicious firmware via unauthenticated HTTP to achieve arbitrary code execution on this safety-critical emergency signaling device.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.2%
CVSS Severity
CVSS v3 Score 6.6
References
Products affected by CVE-2025-65855
-
cpe:2.3:h:netun:helpflash_iot:-
-
cpe:2.3:o:netun:helpflash_iot_firmware:18_178_221102_ascii_pro_1r5_50