CVE-2025-30125
Published: 28 July 2025
Summary
CVE-2025-30125 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Medium (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 36.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-30125 is a high-severity vulnerability (CVSS 3.1 score of 9.8) affecting Marbella KR8s Dashcam FF 2.0.8 devices, stemming from CWE-798 (use of hard-coded credentials). All devices ship with identical default credentials of 12345678, creating an insecure-by-default condition that exposes them to unauthorized access. Users who change the password are restricted to 8 characters, which can be brute-forced in approximately 8 hours using low-end commercial cloud resources.
Remote attackers can exploit this vulnerability over the network (AV:N/AC:L) without privileges (PR:N), user interaction (UI:N), or special scoping (S:U). Successful exploitation allows full compromise, yielding high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), such as accessing video feeds, altering device settings, or disrupting functionality.
Advisories and researcher documentation, including a Medium post and GitHub repository by geo-chen, detail the issue with specifics in the README.md under "Finding 1 - CVE-2025-30125: Same default credentials and limited password combinations." The manufacturer's site (makagps.com) and a Protiviti blog on 8-character password risks provide additional context, though no vendor patches are referenced in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22906
Vulnerability details
An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. All dashcams were shipped with the same default credentials of 12345678, which creates an insecure-by-default condition. For users who change their passwords, it's limited to 8 characters. These short…
more
passwords can be cracked in 8 hours via low-end commercial cloud resources.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded identical default credentials (CWE-798) directly enable use of default accounts for remote access; short password length enables brute-force guessing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates changing default authenticators prior to use and ensuring sufficient strength of mechanism to counter hard-coded weak credentials and short password limitations.
Enforces limits on unsuccessful logon attempts and account lockouts, preventing brute-force cracking of 8-character passwords in hours using cloud resources.
Requires management of accounts including disabling or removing default accounts to address the insecure-by-default shipment with identical credentials across all devices.