CVE-2025-30122
Published: 18 March 2025
Description
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-30122, published on 2025-03-18, affects ROADCAM X3 devices and involves a uniform default credential set that cannot be modified by users. This hard-coded credential issue, classified as CWE-798 (Use of Hard-coded Credentials), enables easy unauthorized access to multiple devices. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility and severe impacts.
Remote attackers can exploit this vulnerability without privileges, user interaction, or special conditions, simply by using the known default credentials over the network. Exploitation grants unauthorized access to affected ROADCAM X3 devices, potentially compromising confidentiality, integrity, and availability to a high degree across multiple instances.
Advisories and additional details are available in the referenced sources: https://github.com/geo-chen/RoadCam and https://roadcam.my/pages/install-x3.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability consists of uniform, unchangeable hard-coded default credentials (CWE-798) on a network-accessible device, directly enabling adversaries to authenticate and gain initial access using valid default accounts.