CVE-2025-30127
Published: 06 August 2025
Summary
CVE-2025-30127 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Medium (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked in the top 36.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-30127 is a critical vulnerability (CVSS v3.1 score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Marbella KR8s Dashcam FF 2.0.8 devices. It involves improper access control (CWE-200, CWE-284, CWE-521), where video recordings containing sensitive information such as routes, conversations, and footage become accessible for download after initial access is obtained via default, common, or cracked passwords. Attackers connect to the command port 7777 via a socket, then retrieve video files over port 7778 and audio over port 7779.
The vulnerability can be exploited by any remote network attacker capable of reaching the exposed ports on the device. No special privileges, user interaction, or authentication beyond weak initial credentials are required, enabling straightforward exploitation once passwords are guessed or cracked. Successful attacks allow full exfiltration of sensitive recordings, resulting in high confidentiality, integrity, and availability impacts.
Mitigation details are available in researcher advisories, including the disclosure at https://geochen.medium.com/marbella-dashcam-ab40ca41adec, GitHub repository https://github.com/geo-chen/Marbella/ (with README specifics at https://github.com/geo-chen/Marbella/blob/main/README.md#finding-2---cve-2025-30127-video-recordings-open-to-being-downloaded-via-ports-7777-7778-7779), and the vendor site at https://makagps.com/. Security practitioners should review these for patching guidance or configuration changes to strengthen authentication and restrict port access.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23864
Vulnerability details
An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Once access is gained either by default, common, or cracked passwords, the video recordings (containing sensitive routes, conversations, and footage) are open for downloading by creating a socket to…
more
command port 7777, and then downloading video via port 7778 and audio via port 7779.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to exploitation of public-facing device via exposed ports (T1190) and use of default/weak credentials for initial access (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper access control allowing unrestricted download of sensitive video and audio recordings after initial access.
Mitigates initial unauthorized access gained via default, common, or cracked passwords by enforcing strong authenticator management.
Prevents remote exploitation by monitoring and controlling network communications to the vulnerable ports 7777, 7778, and 7779.