Cyber Resilience

CVE-2025-30114

Critical

Published: 18 March 2025

Published
18 March 2025
Modified
22 May 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 8.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30114 is a critical-severity Improper Authentication (CWE-287) vulnerability in Hella Dr 820 Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2025-30114 affects the Forvia Hella HELLA Driving Recorder DR 820, a dashcam device, where the pairing mechanism can be bypassed due to its sole reliance on the connecting device's MAC address for authentication. This improper authentication design (CWE-287) allows attackers to spoof the MAC address after obtaining it via network scanning, granting unauthorized access to the device's features. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity with network accessibility, low complexity, and significant impacts on confidentiality and integrity.

Any attacker with network access to the device can exploit this vulnerability without privileges or user interaction. By performing a network scan to identify the legitimate paired device's MAC address and then spoofing it on their own device, the attacker bypasses pairing entirely and gains full control over the dashcam, potentially accessing recorded footage or other sensitive functions.

Further details, including potential proof-of-concept demonstrations, are available in researcher publications such as the GitHub repository at https://github.com/geo-chen/Hella and the Medium article at https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26. No specific patches or vendor mitigations are detailed in the available information.

EU & UK References

Vulnerability details

An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Bypassing of Device Pairing can occur. The pairing mechanism relies solely on the connecting device's MAC address. By obtaining the MAC address through network scanning and spoofing…

more

it, an attacker can bypass the authentication process and gain full access to the dashcam's features without proper authorization.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1025 Data from Removable Media Collection
Adversaries may search connected removable media on computers they have compromised to find files of interest.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1125 Video Capture Collection
An adversary can leverage a computer's peripheral devices (e.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1561.001 Disk Content Wipe Impact
Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
Why these techniques?

MAC spoofing bypasses pairing to grant full unauthorized access, facilitating data collection from system/removable media including video streams and recordings (T1005, T1025, T1082, T1083, T1125) and destructive actions like file deletion and wiping (T1070.004, T1485, T1561.001).

CVEs Like This One

CVE-2025-30116Same product: Hella Dr 820
CVE-2025-30115Same product: Hella Dr 820
CVE-2025-30113Same product: Hella Dr 820
CVE-2025-30117Same product: Hella Dr 820
CVE-2025-50901Shared CWE-287
CVE-2026-32815Shared CWE-287
CVE-2024-11322Shared CWE-287
CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2025-56752Shared CWE-287

Affected Assets

hella
dr 820 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires authenticating devices using mechanisms stronger than spoofable MAC addresses before allowing connections to the dashcam, preventing unauthorized pairing bypass.

prevent

Enforces access control policies that restrict dashcam features to only properly authenticated devices, blocking full unauthorized access gained via MAC spoofing.

prevent

Manages authenticators to ensure sufficient strength and protection against spoofing, such as prohibiting sole reliance on MAC addresses for device pairing.

References