Cyber Resilience

CVE-2025-30122

Critical

Published: 18 March 2025

Published
18 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30122 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Roadcam (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-30122, published on 2025-03-18, affects ROADCAM X3 devices and involves a uniform default credential set that cannot be modified by users. This hard-coded credential issue, classified as CWE-798 (Use of Hard-coded Credentials), enables easy unauthorized access to multiple devices. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility and severe impacts.

Remote attackers can exploit this vulnerability without privileges, user interaction, or special conditions, simply by using the known default credentials over the network. Exploitation grants unauthorized access to affected ROADCAM X3 devices, potentially compromising confidentiality, integrity, and availability to a high degree across multiple instances.

Advisories and additional details are available in the referenced sources: https://github.com/geo-chen/RoadCam and https://roadcam.my/pages/install-x3.

EU & UK References

Vulnerability details

An issue was discovered on ROADCAM X3 devices. It has a uniform default credential set that cannot be modified by users, making it easy for attackers to gain unauthorized access to multiple devices.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The vulnerability consists of uniform, unchangeable hard-coded default credentials (CWE-798) on a network-accessible device, directly enabling adversaries to authenticate and gain initial access using valid default accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23781Shared CWE-798
CVE-2026-29119Shared CWE-798
CVE-2026-24346Shared CWE-798
CVE-2024-46433Shared CWE-798
CVE-2020-37135Shared CWE-798
CVE-2026-27785Shared CWE-798
CVE-2019-25322Shared CWE-798
CVE-2025-33089Shared CWE-798
CVE-2026-25803Shared CWE-798
CVE-2026-22900Shared CWE-798

Affected Assets

Roadcam
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates changing default authenticators prior to first use and managing them securely, directly countering the unmodifiable hard-coded default credentials in ROADCAM X3 devices.

prevent

AC-2 requires comprehensive account management including creation, modification, disabling, and removal of accounts, enabling mitigation of default accounts associated with hard-coded credentials.

preventrespond

SI-2 ensures timely identification, reporting, and correction of system flaws like hard-coded credentials, allowing remediation or workarounds for CVE-2025-30122.

References