CVE-2025-25984

An attacker with physical access must disassemble the camera and solder wires to test pads near the CPU to access the UART interface [ref_id=1]. After connecting a UART adapter (GND, TX, RX), pressing Enter presents a login prompt where the attacker enters `root` as the username and `gzhongshi` as the password [ref_id=1]. This grants a root shell, giving full control over the device [CWE-259][ref_id=1].

The vulnerability resides in the root password hash stored in `/etc/shadow` on the squashfs (read-only) partition of the flash chip [ref_id=1]. The UART interface is exposed via test pads near the CPU, and the root password is hardcoded as `gzhongshi` [ref_id=1].

No patch or firmware update has been published by Macro-video Technologies Co.,Ltd to address this issue [ref_id=1]. The advisory recommends that users replace the device or restrict physical access, as the hardcoded password is stored in a read-only filesystem and cannot be changed without modifying the firmware image [ref_id=1].

1. Disassemble the camera to expose the circuit board. 2. Solder wires to the UART test pads near the CPU: device GND (USB-C shielding) to UART adapter GND, device TX (behind the resistor) to UART adapter RX, device RX (close to the edge) to UART adapter TX [ref_id=1]. 3. Connect the UART adapter to a computer and open a serial terminal. 4. Press Enter to get the login prompt. 5. Log in with username `root` and password `gzhongshi` [ref_id=1]. 6. Run `id` or `whoami` to verify root shell access [ref_id=1].