CVE-2025-30106

High

Published: 18 March 2025

Published

18 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30106 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability in Iroad Dashcam (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 mandates changing default authenticators prior to first use and ensuring sufficient strength of mechanism, directly addressing hardcoded unchangeable credentials on the dashcam.

AC-18 Wireless Access good match

prevent

AC-18 requires usage restrictions, prior authorization, and authentication plus encryption for wireless access, preventing attackers from connecting to the device's Wi-Fi network.

SI-2 Flaw Remediation good match

prevent

SI-2 requires identifying, reporting, and correcting flaws such as hardcoded credentials in system components like the IROAD v9 dashcam.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1040 Network Sniffing Credential Access

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.

attack.mitre.org →

Why these techniques?

Hardcoded default credentials directly enable use of default accounts for unauthorized Wi-Fi access (T1078.001); gained network access facilitates packet sniffing and traffic capture (T1040).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

On IROAD v9 devices, the dashcam has hardcoded default credentials ("qwertyuiop") that cannot be changed by the user. This allows an attacker within Wi-Fi range to connect to the device's network to perform sniffing.

Deeper analysisAI

CVE-2025-30106 is a vulnerability in IROAD v9 dashcam devices stemming from hardcoded default credentials ("qwertyuiop") that cannot be changed by the user. This issue, mapped to CWE-259 (Use of Hard-coded Password), enables unauthorized access to the device's Wi-Fi network. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An attacker within Wi-Fi range of the affected device can exploit this vulnerability with low complexity and no required privileges or user interaction. By using the hardcoded credentials, the attacker gains network access, allowing them to perform packet sniffing and potentially capture sensitive traffic transmitted over the device's network.

References for this CVE include a GitHub repository at https://github.com/geo-chen/IROAD-V, which details the vulnerability, and a product page at https://iroad-dashcam.nl/iroad/iroad-x5/. No specific advisories or patches mentioning mitigations are provided in the available information.