70mai Dashcam X200 and Omni X200 Improper Initialization Vulnerability Allowing File Inclusion

A file inclusion vulnerability has been identified in the 70mai Dashcam X200 model, all versions up to October 19, 2025. This issue arises from the Init Script Handler component, where an unspecified processing flaw allows for unauthorized file inclusion. The vulnerability requires local access to exploit, and while it is publicly known and has an available proof-of-concept exploit, it is considered difficult to exploit due to its high complexity level.

Impact

Exploitation of this vulnerability allows for unauthorized file inclusion, which can be leveraged to execute malicious code persistently on the device by hijacking an initialization script.

Reproduction

The vulnerability can be reproduced by accessing the dashcam's network and placing a malicious binary at a path referenced by the boot initialization script, which typically points to a non-existent binary. Once the binary is placed, it will execute automatically upon the device's next boot, thereby achieving persistent code execution.