Cyber Posture

CVE-2025-30114

Critical

Published: 18 March 2025

Published
18 March 2025
Modified
22 May 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 7.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30114 is a critical-severity Improper Authentication (CWE-287) vulnerability in Hella Dr 820 Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 7 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-3 Device Identification and Authentication good match
prevent

Directly requires authenticating devices using mechanisms stronger than spoofable MAC addresses before allowing connections to the dashcam, preventing unauthorized pairing bypass.

AC-3 Access Enforcement good match
prevent

Enforces access control policies that restrict dashcam features to only properly authenticated devices, blocking full unauthorized access gained via MAC spoofing.

IA-5 Authenticator Management partial match
prevent

Manages authenticators to ensure sufficient strength and protection against spoofing, such as prohibiting sole reliance on MAC addresses for device pairing.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1025 Data from Removable Media Collection
Adversaries may search connected removable media on computers they have compromised to find files of interest.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1125 Video Capture Collection
An adversary can leverage a computer's peripheral devices (e.
attack.mitre.org →
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
T1561.001 Disk Content Wipe Impact
Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
attack.mitre.org →
Why these techniques?

MAC spoofing bypasses pairing to grant full unauthorized access, facilitating data collection from system/removable media including video streams and recordings (T1005, T1025, T1082, T1083, T1125) and destructive actions like file deletion and wiping (T1070.004, T1485, T1561.001).

NVD Description

An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Bypassing of Device Pairing can occur. The pairing mechanism relies solely on the connecting device's MAC address. By obtaining the MAC address through network scanning and spoofing…

more

it, an attacker can bypass the authentication process and gain full access to the dashcam's features without proper authorization.

Deeper analysisAI

CVE-2025-30114 affects the Forvia Hella HELLA Driving Recorder DR 820, a dashcam device, where the pairing mechanism can be bypassed due to its sole reliance on the connecting device's MAC address for authentication. This improper authentication design (CWE-287) allows attackers to spoof the MAC address after obtaining it via network scanning, granting unauthorized access to the device's features. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity with network accessibility, low complexity, and significant impacts on confidentiality and integrity.

Any attacker with network access to the device can exploit this vulnerability without privileges or user interaction. By performing a network scan to identify the legitimate paired device's MAC address and then spoofing it on their own device, the attacker bypasses pairing entirely and gains full control over the dashcam, potentially accessing recorded footage or other sensitive functions.

Further details, including potential proof-of-concept demonstrations, are available in researcher publications such as the GitHub repository at https://github.com/geo-chen/Hella and the Medium article at https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26. No specific patches or vendor mitigations are detailed in the available information.

Details

CWE(s)
CWE-287

Affected Products

hella
dr 820 firmware
all versions

CVEs Like This One

CVE-2025-30116Same product: Hella Dr 820
CVE-2025-30115Same product: Hella Dr 820
CVE-2025-30113Same product: Hella Dr 820
CVE-2025-30117Same product: Hella Dr 820
CVE-2025-50901Shared CWE-287
CVE-2026-32815Shared CWE-287
CVE-2026-5570Shared CWE-287
CVE-2026-42560Shared CWE-287
CVE-2024-57490Shared CWE-287
CVE-2025-64717Shared CWE-287

References