Cyber Resilience

CVE-2025-30133

Critical

Published: 28 July 2025

Published
28 July 2025
Modified
06 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 56.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30133 is a critical-severity Improper Access Control (CWE-284) vulnerability in Iroadau Fx2 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-30133 is a critical vulnerability in IROAD Dashcam FX-2 devices that enables bypass of the device pairing and registration process. The devices normally require authentication via the "IROAD X View" mobile app, but the built-in HTTP server does not enforce this restriction, allowing unauthorized access. Published on 2025-07-28 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-284 (Improper Access Control), it exposes the device's web interface without proper safeguards.

Any attacker within Wi-Fi range can exploit this by connecting to the dashcam's network using the default password "qwertyuiop" and navigating directly to http://192.168.10.1, skipping the app-based pairing entirely. This grants full access to the HTTP server, potentially enabling high-impact compromise of confidentiality, integrity, and availability, such as data extraction, configuration changes, or disruption. The attack is completely silent, with no alerts triggered on the device.

Advisories in the GitHub repository https://github.com/geo-chen/IROAD detail the issue under Finding #12 (CVE-2025-30133 - Unprotected URL Shortcut) and Finding #7 (Bypass of Device Pairing/Registration for IROAD FX-2). The vendor's firmware download page at https://www.iroadau.com.au/downloads/ is referenced, but no specific patches or mitigations are outlined in the provided sources.

EU & UK References

Vulnerability details

An issue was discovered on IROAD Dashcam FX2 devices. Bypass of Device Pairing/Registration can occur. It requires device registration via the "IROAD X View" app for authentication, but its HTTP server lacks this restriction. Once connected to the dashcam's Wi-Fi…

more

network via the default password ("qwertyuiop"), an attacker can directly access the HTTP server at http://192.168.10.1 without undergoing the pairing process. Additionally, no alert is triggered on the device when an attacker connects, making this intrusion completely silent.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The vulnerability enables unauthorized access by connecting to the device's Wi-Fi using the default password 'qwertyuiop' and directly accessing the unprotected HTTP server without pairing or authentication, facilitating abuse of default accounts.

CVEs Like This One

CVE-2025-2347Same product: Iroadau Fx2
CVE-2025-2350Same product: Iroadau Fx2
CVE-2025-63353Shared CWE-284
CVE-2024-35177Shared CWE-284
CVE-2026-48898Shared CWE-284
CVE-2025-29315Shared CWE-284
CVE-2025-55261Shared CWE-284
CVE-2026-39339Shared CWE-284
CVE-2026-28855Shared CWE-284
CVE-2026-46839Shared CWE-284

Affected Assets

iroadau
fx2 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires the HTTP server to enforce approved authorizations and pairing restrictions, directly preventing unauthorized direct access to the web interface.

prevent

AC-18 establishes controls for wireless access points, including authentication and encryption, to block unauthorized Wi-Fi connections using the default password.

prevent

IA-5 mandates changing default authenticators such as the Wi-Fi password 'qwertyuiop' prior to first use, eliminating the easy entry vector for attackers.

References