CVE-2025-30137

CVE-2025-30137 is a high-severity vulnerability (CVSS 9.8) in the G-Net GNET APK version 2.6.2, stemming from hardcoded credentials (CWE-798) embedded in the mobile application. These credentials grant unauthorized access to the dashcam's API endpoints exposed on ports 9091 (settings) and 9092 (stream). Specifically, the credentials "adim" and "000000" work for settings on port 9091, while "admin" and "tibet" apply to the stream on port 9092.

An attacker with network proximity can exploit this by connecting to the GNET SSID and sending a crafted authentication command, such as "TibetList" paired with "000000", to port 9091 to enumerate dashcam settings. No privileges, user interaction, or complex prerequisites are required (AV:N/AC:L/PR:N/UI:N), enabling remote exploitation over the network. Successful access allows high confidentiality, integrity, and availability impacts, potentially permitting attackers to view live streams, modify settings, or disrupt dashcam operations.

References include a GitHub repository at https://github.com/geo-chen/GNET detailing the issue and the vendor product page at https://www.gnetsystem.com/eng/product/list?viewMode=view&idx=246&ca_id=0201, though no specific patches or mitigation steps are outlined in available details.