Cyber Resilience

CVE-2025-30131

CriticalPublic PoC

Published: 26 June 2025

Published
26 June 2025
Modified
06 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0141 81.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30131 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Iroadau Fx2 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 19.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2025-30131 affects IROAD Dashcam FX2 devices and stems from an unauthenticated file upload endpoint. This issue, tracked under CWE-434, allows an attacker to upload a CGI-based webshell that executes arbitrary commands with root privileges on the device.

An unauthenticated remote attacker can leverage the endpoint to upload the webshell and immediately run commands as root. The same mechanism supports uploading a netcat binary to establish a reverse shell, delivering persistent privileged remote access and full device takeover. The flaw received a CVSS v3.1 score of 9.8.

The listed references point to a detailed disclosure on GitHub and the vendor's firmware download page at iroadau.com.au, indicating that firmware updates are the intended remediation path, though no explicit patch instructions or workarounds are provided in the available data. The associated EPSS score remains flat at a low 0.0141 with no material rise observed.

EU & UK References

Vulnerability details

An issue was discovered on IROAD Dashcam FX2 devices. An unauthenticated file upload endpoint can be leveraged to execute arbitrary commands by uploading a CGI-based webshell. Once a file is uploaded, the attacker can execute commands with root privileges, gaining…

more

full control over the dashcam. Additionally, by uploading a netcat (nc) binary, the attacker can establish a reverse shell, maintaining persistent remote and privileged access to the device. This allows complete device takeover.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The unauthenticated file upload vulnerability enables exploitation of a public-facing web application (T1190), deployment of a CGI webshell (T1505.003), arbitrary Unix shell command execution as root (T1059.004), and ingress tool transfer such as uploading a netcat binary for reverse shell (T1105).

Affected Assets

iroadau
fx2 firmware
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References