CVE-2025-2762: CarlinKit CPC200-CCPA Missing Root of Trust Local Privilege Escalation Vulnerability
Description
CarlinKit CPC200-CCPA Missing Root of Trust Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of CarlinKit CPC200-CCPA devices. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the configuration of the application system-on-chip (SoC). The issue results from the lack of a properly configured hardware root of trust. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the boot process. Was ZDI-CAN-25948.
Classification
CVE ID: CVE-2025-2762
CVSS Base Severity: HIGH
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Problem Types
CWE-1326: Missing Immutable Root of Trust in HardwareAffected Products
Vendor: CarlinKit
Product: CPC200-CCPA
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.02% (probability of being exploited)
EPSS Percentile: 4.18% (scored less or equal to compared to others)
EPSS Date: 2025-05-22 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-2762https://www.zerodayinitiative.com/advisories/ZDI-25-176/