Cyber Resilience

CVE-2025-30125

Critical

Published: 28 July 2025

Published
28 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 63.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30125 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Medium (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 36.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-30125 is a high-severity vulnerability (CVSS 3.1 score of 9.8) affecting Marbella KR8s Dashcam FF 2.0.8 devices, stemming from CWE-798 (use of hard-coded credentials). All devices ship with identical default credentials of 12345678, creating an insecure-by-default condition that exposes them to unauthorized access. Users who change the password are restricted to 8 characters, which can be brute-forced in approximately 8 hours using low-end commercial cloud resources.

Remote attackers can exploit this vulnerability over the network (AV:N/AC:L) without privileges (PR:N), user interaction (UI:N), or special scoping (S:U). Successful exploitation allows full compromise, yielding high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), such as accessing video feeds, altering device settings, or disrupting functionality.

Advisories and researcher documentation, including a Medium post and GitHub repository by geo-chen, detail the issue with specifics in the README.md under "Finding 1 - CVE-2025-30125: Same default credentials and limited password combinations." The manufacturer's site (makagps.com) and a Protiviti blog on 8-character password risks provide additional context, though no vendor patches are referenced in the available information.

EU & UK References

Vulnerability details

An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. All dashcams were shipped with the same default credentials of 12345678, which creates an insecure-by-default condition. For users who change their passwords, it's limited to 8 characters. These short…

more

passwords can be cracked in 8 hours via low-end commercial cloud resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Hard-coded identical default credentials (CWE-798) directly enable use of default accounts for remote access; short password length enables brute-force guessing.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23781Shared CWE-798
CVE-2025-30122Shared CWE-798
CVE-2026-29119Shared CWE-798
CVE-2026-24346Shared CWE-798
CVE-2024-46433Shared CWE-798
CVE-2020-37135Shared CWE-798
CVE-2026-27785Shared CWE-798
CVE-2019-25322Shared CWE-798
CVE-2025-33089Shared CWE-798
CVE-2026-25803Shared CWE-798

Affected Assets

Medium
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates changing default authenticators prior to use and ensuring sufficient strength of mechanism to counter hard-coded weak credentials and short password limitations.

prevent

Enforces limits on unsuccessful logon attempts and account lockouts, preventing brute-force cracking of 8-character passwords in hours using cloud resources.

prevent

Requires management of accounts including disabling or removing default accounts to address the insecure-by-default shipment with identical credentials across all devices.

References