CVE-2025-30115

Critical

Published: 18 March 2025

Published

18 March 2025

Modified

22 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

Security Summary

CVE-2025-30115 is a vulnerability in the Forvia Hella HELLA Driving Recorder DR 820, where default credentials cannot be changed by users. The device employs a fixed default SSID and password ("qwertyuiop"), and the SSID is continuously broadcast. This configuration, tied to CWE-259 (Use of Hard-coded Password), enables unauthorized access to the device network. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-03-18.

Any remote attacker within wireless range can exploit this vulnerability by connecting to the broadcast SSID using the unchanging default password, requiring no privileges, user interaction, or complex conditions. Exploitation provides unauthorized network access to the device, with potential for high impacts on confidentiality, integrity, and availability.

Advisories and further details are available in the referenced sources: https://github.com/geo-chen/Hella and https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26.

Details

CWE(s): CWE-259

Affected Products

hella

dr 820 firmware

all versions

MITRE ATT&CK Enterprise Techniques

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1025 Data from Removable Media Collection

Adversaries may search connected removable media on computers they have compromised to find files of interest.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1082 System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Default and hardcoded credentials enable valid account access (T1078.001, T1552.001); unauthorized access facilitates data collection from local system/removable media (T1005, T1025), system/file discovery (T1082, T1083), and file deletion (T1070.004).

References

https://github.com/geo-chen/Hella
Third Party Advisory · cve@mitre.org
https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26
Permissions Required · cve@mitre.org