Improper Access Control in YI Car Dashcam Affects User Security
CVE-2024-56897

9.8CRITICAL

Key Information:

Vendor: YI Technology
Status: YI Car Dashcam
Vendor: CVE Published:; 24 February 2025

🔔 Create YI Technology Vulnerability Alert

What is CVE-2024-56897?

The YI Car Dashcam v3.88 has a vulnerability that stems from improper access control within its HTTP server. This flaw allows attackers to perform unrestricted file downloads and uploads, and execute unauthorized API commands. Consequently, unauthorized modifications to critical device settings may occur, enabling potential actions such as disabling recording features, muting audio, and even triggering factory resets. Users of this device are advised to monitor for any unusual behavior and consider updates to mitigate the risk.

References

https://github.com/geo-chen/YI-Smart-Dashcam/

https://geochen.medium.com/cve-2024-56897-yi-car-dashcam-...

https://yitechnology.com.sg/products/dash-camera/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2025
Vulnerability Reserved
Jan 9, 2025

CVE-2024-56897 Data

JSON