Cyber Resilience

CVE-2025-30127

Critical

Published: 06 August 2025

Published
06 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 63.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30127 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Medium (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked in the top 36.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-30127 is a critical vulnerability (CVSS v3.1 score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Marbella KR8s Dashcam FF 2.0.8 devices. It involves improper access control (CWE-200, CWE-284, CWE-521), where video recordings containing sensitive information such as routes, conversations, and footage become accessible for download after initial access is obtained via default, common, or cracked passwords. Attackers connect to the command port 7777 via a socket, then retrieve video files over port 7778 and audio over port 7779.

The vulnerability can be exploited by any remote network attacker capable of reaching the exposed ports on the device. No special privileges, user interaction, or authentication beyond weak initial credentials are required, enabling straightforward exploitation once passwords are guessed or cracked. Successful attacks allow full exfiltration of sensitive recordings, resulting in high confidentiality, integrity, and availability impacts.

Mitigation details are available in researcher advisories, including the disclosure at https://geochen.medium.com/marbella-dashcam-ab40ca41adec, GitHub repository https://github.com/geo-chen/Marbella/ (with README specifics at https://github.com/geo-chen/Marbella/blob/main/README.md#finding-2---cve-2025-30127-video-recordings-open-to-being-downloaded-via-ports-7777-7778-7779), and the vendor site at https://makagps.com/. Security practitioners should review these for patching guidance or configuration changes to strengthen authentication and restrict port access.

EU & UK References

Vulnerability details

An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Once access is gained either by default, common, or cracked passwords, the video recordings (containing sensitive routes, conversations, and footage) are open for downloading by creating a socket to…

more

command port 7777, and then downloading video via port 7778 and audio via port 7779.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct mapping to exploitation of public-facing device via exposed ports (T1190) and use of default/weak credentials for initial access (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25519Shared CWE-284
CVE-2026-40885Shared CWE-200
CVE-2024-57433Shared CWE-284
CVE-2026-28213Shared CWE-200
CVE-2026-32865Shared CWE-200
CVE-2025-30214Shared CWE-200
CVE-2026-33316Shared CWE-284
CVE-2026-2055Shared CWE-200, CWE-284
CVE-2026-2054Shared CWE-200, CWE-284
CVE-2026-2894Shared CWE-200, CWE-284

Affected Assets

Medium
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper access control allowing unrestricted download of sensitive video and audio recordings after initial access.

prevent

Mitigates initial unauthorized access gained via default, common, or cracked passwords by enforcing strong authenticator management.

prevent

Prevents remote exploitation by monitoring and controlling network communications to the vulnerable ports 7777, 7778, and 7779.

References