Cyber Posture

CVE-2025-30113

Critical

Published: 18 March 2025

Published
18 March 2025
Modified
22 May 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30113 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Hella Dr 820 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001) and 7 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Directly prohibits embedding hardcoded credentials in software such as the dashcam's APK, addressing the root cause of CWE-798.

SC-41 Port and I/O Device Access good match
preventdetect

Monitors and controls connections to vulnerable ports 9091 and 9092, preventing network-based exploitation of the hardcoded credentials.

CM-7 Least Functionality good match
prevent

Restricts system functionality to essential capabilities only, prohibiting unnecessary exposure of ports 9091 and 9092 used for device settings.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
T1125 Video Capture Collection
An adversary can leverage a computer's peripheral devices (e.
attack.mitre.org →
T1614 System Location Discovery Discovery
attack.mitre.org →
Why these techniques?

Hardcoded credentials enable unauthorized access to API (port 9091) and RTSP (port 9092), facilitating default/valid account usage, unsecured credentials in files, system/file discovery via settings and video lists, video capture via live stream, data from local system (footage), location discovery from recordings, and file deletion.

NVD Description

An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Hardcoded Credentials exist in the APK for Ports 9091 and 9092. The dashcam's Android application contains hardcoded credentials that allow unauthorized access to device settings through ports…

more

9091 and 9092. These credentials, stored in cleartext, can be exploited by an attacker who gains access to the dashcam's network.

Deeper analysisAI

CVE-2025-30113 affects the Forvia Hella HELLA Driving Recorder DR 820, specifically its Android application (APK). The vulnerability involves hardcoded credentials stored in cleartext, enabling unauthorized access to device settings via ports 9091 and 9092. Classified as CWE-798 (Use of Hard-coded Credentials), it was published on 2025-03-18 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

An attacker who gains access to the dashcam's network can exploit these credentials remotely without requiring privileges, authentication, or user interaction. Successful exploitation grants unauthorized control over device settings, compromising confidentiality, integrity, and availability to a high degree.

Advisories and related resources, including the GitHub repository at https://github.com/geo-chen/Hella and the Medium post at https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26, provide further technical details on the issue. No specific patches or mitigation steps are detailed in the core CVE information.

Details

CWE(s)
CWE-798

Affected Products

hella
dr 820 firmware
all versions

CVEs Like This One

CVE-2025-30115Same product: Hella Dr 820
CVE-2025-30114Same product: Hella Dr 820
CVE-2025-30116Same product: Hella Dr 820
CVE-2025-30117Same product: Hella Dr 820
CVE-2025-26410Shared CWE-798
CVE-2025-30123Shared CWE-798
CVE-2026-24346Shared CWE-798
CVE-2024-51547Shared CWE-798
CVE-2025-30122Shared CWE-798
CVE-2026-23781Shared CWE-798

References