CVE-2025-30115

Critical

Published: 18 March 2025

Published

18 March 2025

Modified

22 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30115 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability in Hella Dr 820 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 6 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Directly requires replacement of vendor default passwords and authenticators, such as the fixed 'qwertyuiop' WiFi password, prior to system deployment to prevent unauthorized access.

AC-18 Wireless Access good match

prevent

Mandates authorization, authentication, encryption, and monitoring of wireless access, directly countering continuous broadcast of fixed SSID with unchangeable default credentials.

CM-6 Configuration Settings good match

prevent

Enforces secure baseline configuration settings that prohibit use of hard-coded default SSID and passwords on wireless devices like the HELLA DR 820.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1025 Data from Removable Media Collection

Adversaries may search connected removable media on computers they have compromised to find files of interest.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1082 System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Default and hardcoded credentials enable valid account access (T1078.001, T1552.001); unauthorized access facilitates data collection from local system/removable media (T1005, T1025), system/file discovery (T1082, T1083), and file deletion (T1070.004).

NVD Description

An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Default Credentials Cannot Be Changed. It uses a fixed default SSID and password ("qwertyuiop"), which cannot be modified by users. The SSID is continuously broadcast, allowing unauthorized…

access to the device network.

Deeper analysisAI

CVE-2025-30115 is a vulnerability in the Forvia Hella HELLA Driving Recorder DR 820, where default credentials cannot be changed by users. The device employs a fixed default SSID and password ("qwertyuiop"), and the SSID is continuously broadcast. This configuration, tied to CWE-259 (Use of Hard-coded Password), enables unauthorized access to the device network. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-03-18.

Any remote attacker within wireless range can exploit this vulnerability by connecting to the broadcast SSID using the unchanging default password, requiring no privileges, user interaction, or complex conditions. Exploitation provides unauthorized network access to the device, with potential for high impacts on confidentiality, integrity, and availability.

Advisories and further details are available in the referenced sources: https://github.com/geo-chen/Hella and https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26.