CVE-2025-30122

Critical

Published: 18 March 2025

Published

18 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30122 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Roadcam (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 mandates changing default authenticators prior to first use and managing them securely, directly countering the unmodifiable hard-coded default credentials in ROADCAM X3 devices.

AC-2 Account Management good match

prevent

AC-2 requires comprehensive account management including creation, modification, disabling, and removal of accounts, enabling mitigation of default accounts associated with hard-coded credentials.

SI-2 Flaw Remediation partial match

preventrespond

SI-2 ensures timely identification, reporting, and correction of system flaws like hard-coded credentials, allowing remediation or workarounds for CVE-2025-30122.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

The vulnerability consists of uniform, unchangeable hard-coded default credentials (CWE-798) on a network-accessible device, directly enabling adversaries to authenticate and gain initial access using valid default accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An issue was discovered on ROADCAM X3 devices. It has a uniform default credential set that cannot be modified by users, making it easy for attackers to gain unauthorized access to multiple devices.

Deeper analysisAI

CVE-2025-30122, published on 2025-03-18, affects ROADCAM X3 devices and involves a uniform default credential set that cannot be modified by users. This hard-coded credential issue, classified as CWE-798 (Use of Hard-coded Credentials), enables easy unauthorized access to multiple devices. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility and severe impacts.

Remote attackers can exploit this vulnerability without privileges, user interaction, or special conditions, simply by using the known default credentials over the network. Exploitation grants unauthorized access to affected ROADCAM X3 devices, potentially compromising confidentiality, integrity, and availability to a high degree across multiple instances.

Advisories and additional details are available in the referenced sources: https://github.com/geo-chen/RoadCam and https://roadcam.my/pages/install-x3.