CVE-2025-30107
Published: 18 March 2025
Description
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Security Summary
CVE-2025-30107 is a vulnerability in the configuration management of IROAD V9 dashcam devices. It enables unauthorized parties to manage settings, obtain sensitive data, and sabotage the car battery by disabling critical functions and turning off battery protection, which could lead to physical damage to the vehicle. The issue stems from CWE-862 (Missing Authorization) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with network accessibility and no authentication required.
Attackers can exploit this vulnerability remotely over the network without privileges or user interaction. An unauthorized party gains the ability to arbitrarily modify dashcam settings, extract sensitive data, disable essential features, and deactivate battery protection mechanisms. This could result in operational disruptions or vehicle damage, such as battery drain or failure during critical scenarios.
Mitigation details are referenced in advisories at https://github.com/geo-chen/IROAD-V and https://iroad-dashcam.nl/iroad/iroad-x5/%27, which likely include guidance on configuration hardening or firmware updates, though specific patch information is not detailed in the CVE publication from March 18, 2025.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The missing authorization vulnerability in network-accessible configuration management on a public-facing dashcam device directly enables remote exploitation of public-facing applications (T1190), unauthorized extraction of sensitive data from the local system (T1005), and disabling of critical protective functions (T1562.001).