CVE-2025-30112

CVE-2025-30112 is an authentication bypass vulnerability (CWE-288) affecting 70mai Dash Cam 1S devices, published on 2025-03-24. It enables attackers to circumvent the official mobile app's device authorization mechanism, which requires users to physically press the power button on the device during pairing. By connecting directly to the dashcam's Wi-Fi network and accessing the HTTP API on TCP port 80 or the RTSP service on TCP port 554, attackers can gain unauthorized access without this physical confirmation step.

The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H), indicating network accessibility with high attack complexity, low privileges required, and no user interaction needed. An attacker who can join the dashcam's network—such as a nearby adversary within Wi-Fi range—can exploit it to bypass pairing restrictions. This grants unauthorized access to the device's API and RTSP video stream, potentially allowing manipulation of settings, live video viewing, or disruption of device functions, with high impacts on integrity and availability alongside limited confidentiality exposure.

Mitigation details are available in referenced advisories, including the security research disclosure at https://github.com/geo-chen/70mai/blob/main/README.md#finding-1---cve-2025-30112-bypass-device-pairing-of-70mai-dashcam-1s and the vendor product page at https://www.70mai.com/cam1s/. Security practitioners should consult these for any firmware updates or configuration hardening recommendations specific to the 70mai Dash Cam 1S.