Cyber Posture

CVE-2025-30114

Critical

Published: 18 March 2025

Published
18 March 2025
Modified
22 May 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 7.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Security Summary

CVE-2025-30114 affects the Forvia Hella HELLA Driving Recorder DR 820, a dashcam device, where the pairing mechanism can be bypassed due to its sole reliance on the connecting device's MAC address for authentication. This improper authentication design (CWE-287) allows attackers to spoof the MAC address after obtaining it via network scanning, granting unauthorized access to the device's features. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity with network accessibility, low complexity, and significant impacts on confidentiality and integrity.

Any attacker with network access to the device can exploit this vulnerability without privileges or user interaction. By performing a network scan to identify the legitimate paired device's MAC address and then spoofing it on their own device, the attacker bypasses pairing entirely and gains full control over the dashcam, potentially accessing recorded footage or other sensitive functions.

Further details, including potential proof-of-concept demonstrations, are available in researcher publications such as the GitHub repository at https://github.com/geo-chen/Hella and the Medium article at https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26. No specific patches or vendor mitigations are detailed in the available information.

Details

CWE(s)
CWE-287

Affected Products

hella
dr 820 firmware
all versions

MITRE ATT&CK Enterprise Techniques

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1025 Data from Removable Media Collection
Adversaries may search connected removable media on computers they have compromised to find files of interest.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1125 Video Capture Collection
An adversary can leverage a computer's peripheral devices (e.
attack.mitre.org →
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
T1561.001 Disk Content Wipe Impact
Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
attack.mitre.org →
Why these techniques?

MAC spoofing bypasses pairing to grant full unauthorized access, facilitating data collection from system/removable media including video streams and recordings (T1005, T1025, T1082, T1083, T1125) and destructive actions like file deletion and wiping (T1070.004, T1485, T1561.001).

References