CVE-2025-30107
Published: 18 March 2025
Summary
CVE-2025-30107 is a high-severity Missing Authorization (CWE-862) vulnerability in Iroad Dashcam (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to configuration management functions, directly addressing the missing authorization that allows unauthorized setting modifications and data extraction.
Limits and documents permitted actions without identification or authentication, preventing unauthorized configuration changes and battery sabotage on the dashcam.
Restricts access to configuration changes, mitigating unauthorized modifications to critical dashcam settings like battery protection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The missing authorization vulnerability in network-accessible configuration management on a public-facing dashcam device directly enables remote exploitation of public-facing applications (T1190), unauthorized extraction of sensitive data from the local system (T1005), and disabling of critical protective functions (T1562.001).
NVD Description
On IROAD V9 devices, Managing Settings and Obtaining Sensitive Data and Sabotaging the Car Battery can be performed by unauthorized parties. A vulnerability in the dashcam's configuration management allows unauthorized users to modify settings, disable critical functions, and turn off…
more
battery protection, potentially causing physical damage to the vehicle.
Deeper analysisAI
CVE-2025-30107 is a vulnerability in the configuration management of IROAD V9 dashcam devices. It enables unauthorized parties to manage settings, obtain sensitive data, and sabotage the car battery by disabling critical functions and turning off battery protection, which could lead to physical damage to the vehicle. The issue stems from CWE-862 (Missing Authorization) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with network accessibility and no authentication required.
Attackers can exploit this vulnerability remotely over the network without privileges or user interaction. An unauthorized party gains the ability to arbitrarily modify dashcam settings, extract sensitive data, disable essential features, and deactivate battery protection mechanisms. This could result in operational disruptions or vehicle damage, such as battery drain or failure during critical scenarios.
Mitigation details are referenced in advisories at https://github.com/geo-chen/IROAD-V and https://iroad-dashcam.nl/iroad/iroad-x5/%27, which likely include guidance on configuration hardening or firmware updates, though specific patch information is not detailed in the CVE publication from March 18, 2025.
Details
- CWE(s)