Cyber Posture

CVE-2025-30116

High

Published: 18 March 2025

Published
18 March 2025
Modified
22 May 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0018 39.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30116 is a high-severity Improper Authentication (CWE-287) vulnerability in Hella Dr 820 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 4 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-17 Remote Access good match
preventdetect

Establishes usage restrictions, authorization, encryption, and monitoring for remote access to the driving recorder, directly preventing unauthorized connections to ports 9091 and 9092 for video dumping and streaming.

IA-5 Authenticator Management good match
prevent

Manages the lifecycle and strength of authenticators including challenge-response mechanisms to prevent bypasses that enable remote access to sensitive video footage and live streams.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to system resources like SD card video footage, countering the improper authentication that allows remote dumping and streaming.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1025 Data from Removable Media Collection
Adversaries may search connected removable media on computers they have compromised to find files of interest.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1125 Video Capture Collection
An adversary can leverage a computer's peripheral devices (e.
attack.mitre.org →
T1614 System Location Discovery Discovery
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthorized remote listing (T1083) and dumping of video footage from the local system and SD card removable media (T1005, T1025), live video streaming (T1125), and extraction of sensitive location data (T1614).

NVD Description

An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Remotely Dumping of Video Footage and the Live Video Stream can occur. It allows remote attackers to access and download recorded video footage from the SD card…

more

via port 9091. Additionally, attackers can connect to port 9092 to stream the live video feed by bypassing the challenge-response authentication mechanism. This exposes sensitive location and personal data.

Deeper analysisAI

CVE-2025-30116, published on 2025-03-18, affects the Forvia Hella HELLA Driving Recorder DR 820. This vulnerability, rooted in CWE-287 (Improper Authentication), allows remote dumping of recorded video footage from the device's SD card via port 9091 and access to the live video stream via port 9092. Attackers can bypass the challenge-response authentication mechanism, exposing sensitive location and personal data. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low complexity.

Remote attackers with network access to the device can exploit this without privileges or user interaction. By connecting directly to the specified ports, they can download all stored video footage from the SD card and stream live video feeds, compromising privacy through revelation of vehicle paths, occupants, and other recorded details.

Researcher advisories are available at https://github.com/geo-chen/Hella and https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26, which detail the issue and likely include proof-of-concept demonstrations, though no vendor patches or specific mitigations are referenced in the CVE description.

Details

CWE(s)
CWE-287

Affected Products

hella
dr 820 firmware
all versions

CVEs Like This One

CVE-2025-30114Same product: Hella Dr 820
CVE-2025-30113Same product: Hella Dr 820
CVE-2025-30115Same product: Hella Dr 820
CVE-2025-30117Same product: Hella Dr 820
CVE-2025-50901Shared CWE-287
CVE-2026-32815Shared CWE-287
CVE-2026-5570Shared CWE-287
CVE-2026-42560Shared CWE-287
CVE-2024-57490Shared CWE-287
CVE-2025-64717Shared CWE-287

References