CVE-2025-30117

High

Published: 18 March 2025

Published

18 March 2025

Modified

22 May 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0006 18.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30117 is a high-severity Improper Authorization (CWE-285) vulnerability in Hella Dr 820 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 5 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly addressing improper authorization that allows unauthorized management of settings and sensitive data access.

IA-3 Device Identification and Authentication good match

prevent

Requires unique identification and authentication of devices before connection, mitigating bypass of device pairing exploited by remote attackers.

AC-6 Least Privilege good match

prevent

Implements least privilege to restrict unauthorized modifications to power management, recording, and battery protection settings.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1082 System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1489 Service Stop Impact

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.

attack.mitre.org →

T1499 Endpoint Denial of Service Impact

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthorized access to discover system/vehicle information (T1082), enumerate files/directories (T1083), collect local data like settings and footage (T1005), delete footage (T1070.004), stop recording services (T1489), and cause endpoint DoS via battery drain (T1499).

NVD Description

An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Managing Settings and Obtaining Sensitive Data and Sabotaging the Car Battery can be performed by unauthorized parties. After bypassing the device pairing, an attacker can obtain sensitive…

user and vehicle information through the settings interface. Remote attackers can modify power management settings, disable recording, delete stored footage, and turn off battery protection, leading to potential denial-of-service conditions and vehicle battery drainage.

Deeper analysisAI

CVE-2025-30117, published on 2025-03-18, affects the Forvia Hella HELLA Driving Recorder DR 820. The vulnerability, classified under CWE-285 (Improper Authorization), enables unauthorized parties to manage device settings, obtain sensitive data, and sabotage the car battery. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), reflecting network-accessible exploitation with low complexity, no privileges or user interaction required.

Remote attackers can exploit this by bypassing device pairing to access the settings interface, retrieving sensitive user and vehicle information. They can then modify power management settings, disable recording, delete stored footage, and deactivate battery protection, potentially causing denial-of-service conditions and vehicle battery drainage.

For mitigation guidance, refer to the provided references: https://github.com/geo-chen/Hella and https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26.