CVE-2025-30140

CVE-2025-30140 is a vulnerability in G-Net Dashcam BB GONX devices where an unregistered public domain name is used as an internal domain name. This configuration creates a security risk because the domain was not originally owned by GNET, allowing an attacker to register it and potentially intercept sensitive device traffic. The issue has been categorized under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The vulnerability was published on 2025-03-18.

The attack scenario involves a remote attacker with no required privileges or user interaction who registers the public domain name. If the dashcam or related services attempt to resolve this domain over the public Internet rather than locally, the attacker can achieve man-in-the-middle interception, leading to data exfiltration and high confidentiality impact.

References for the vulnerability include a GitHub repository at https://github.com/geo-chen/GNET maintained by the discoverer, who has since registered the domain, and the vendor product page at https://www.gnetsystem.com/eng/product/list?viewMode=view&idx=246&ca_id=0201. No specific patch or mitigation details from advisories are provided in the available information.