CVE-2025-30123

Critical

Published: 18 March 2025

Published

18 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30123 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Roadcam (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-8 (Security and Privacy Engineering Principles).

Threat & Defense at a Glance

What attackers do: exploitation maps to Credentials In Files (T1552.001) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 requires secure management and protection of authenticators, directly preventing the embedding of hard-coded FTP credentials in the Viidure APK.

SA-8 Security and Privacy Engineering Principles good match

prevent

SA-8 mandates application of security engineering principles throughout the development lifecycle, which would eliminate hard-coded credentials like those for the FTPX account.

AC-2 Account Management partial match

prevent

AC-2 enforces account management practices that require strong authenticators and disable unnecessary accounts such as FTPX, mitigating exploitation of exposed credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

T1078.003 Local Accounts Stealth

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1133 External Remote Services Persistence

Adversaries may leverage external-facing remote services to initially access and/or persist within a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Hardcoded credentials embedded in APK map directly to T1552.001; enables use of valid local account (FTPX) via external remote service (FTP) per T1078.003 and T1133 for unauthorized device access and data extraction per T1005.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An issue was discovered on ROADCAM X3 devices. The mobile app APK (Viidure) contains hardcoded FTP credentials for the FTPX user account, enabling attackers to gain unauthorized access and extract sensitive recorded footage from the device.

Deeper analysisAI

CVE-2025-30123, published on 2025-03-18, affects ROADCAM X3 devices through their associated Viidure mobile app APK. The vulnerability stems from hardcoded FTP credentials for the FTPX user account embedded in the APK, classified under CWE-798 (Use of Hard-coded Credentials). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for high-impact confidentiality, integrity, and availability violations.

Any remote attacker with network access to the device's FTP service can exploit this vulnerability by using the exposed credentials, requiring no authentication privileges, user interaction, or special complexity. Successful exploitation grants unauthorized access to the device, enabling extraction of sensitive recorded footage stored on it.

References point to a GitHub repository at https://github.com/geo-chen/RoadCam, likely containing related research or proof-of-concept details, and the official ROADCAM X3 installation page at https://roadcam.my/pages/install-x3. No vendor advisories or patch details are specified in the available information.