Cyber Resilience

CVE-2025-30107

High

Published: 18 March 2025

Published
18 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0026 49.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30107 is a high-severity Missing Authorization (CWE-862) vulnerability in Iroad Dashcam (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-30107 is a vulnerability in the configuration management of IROAD V9 dashcam devices. It enables unauthorized parties to manage settings, obtain sensitive data, and sabotage the car battery by disabling critical functions and turning off battery protection, which could lead to physical damage to the vehicle. The issue stems from CWE-862 (Missing Authorization) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with network accessibility and no authentication required.

Attackers can exploit this vulnerability remotely over the network without privileges or user interaction. An unauthorized party gains the ability to arbitrarily modify dashcam settings, extract sensitive data, disable essential features, and deactivate battery protection mechanisms. This could result in operational disruptions or vehicle damage, such as battery drain or failure during critical scenarios.

Mitigation details are referenced in advisories at https://github.com/geo-chen/IROAD-V and https://iroad-dashcam.nl/iroad/iroad-x5/%27, which likely include guidance on configuration hardening or firmware updates, though specific patch information is not detailed in the CVE publication from March 18, 2025.

EU & UK References

Vulnerability details

On IROAD V9 devices, Managing Settings and Obtaining Sensitive Data and Sabotaging the Car Battery can be performed by unauthorized parties. A vulnerability in the dashcam's configuration management allows unauthorized users to modify settings, disable critical functions, and turn off…

more

battery protection, potentially causing physical damage to the vehicle.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

The missing authorization vulnerability in network-accessible configuration management on a public-facing dashcam device directly enables remote exploitation of public-facing applications (T1190), unauthorized extraction of sensitive data from the local system (T1005), and disabling of critical protective functions (T1562.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27833Shared CWE-862
CVE-2026-25808Shared CWE-862
CVE-2026-1280Shared CWE-862
CVE-2026-4030Shared CWE-862
CVE-2026-34976Shared CWE-862
CVE-2026-1104Shared CWE-862
CVE-2026-33918Shared CWE-862
CVE-2026-34184Shared CWE-862
CVE-2026-27638Shared CWE-862
CVE-2026-25810Shared CWE-862

Affected Assets

Iroad Dashcam
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to configuration management functions, directly addressing the missing authorization that allows unauthorized setting modifications and data extraction.

prevent

Limits and documents permitted actions without identification or authentication, preventing unauthorized configuration changes and battery sabotage on the dashcam.

prevent

Restricts access to configuration changes, mitigating unauthorized modifications to critical dashcam settings like battery protection.

References