CVE-2025-30133
Published: 28 July 2025
Summary
CVE-2025-30133 is a critical-severity Improper Access Control (CWE-284) vulnerability in Iroadau Fx2 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires the HTTP server to enforce approved authorizations and pairing restrictions, directly preventing unauthorized direct access to the web interface.
AC-18 establishes controls for wireless access points, including authentication and encryption, to block unauthorized Wi-Fi connections using the default password.
IA-5 mandates changing default authenticators such as the Wi-Fi password 'qwertyuiop' prior to first use, eliminating the easy entry vector for attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthorized access by connecting to the device's Wi-Fi using the default password 'qwertyuiop' and directly accessing the unprotected HTTP server without pairing or authentication, facilitating abuse of default accounts.
NVD Description
An issue was discovered on IROAD Dashcam FX2 devices. Bypass of Device Pairing/Registration can occur. It requires device registration via the "IROAD X View" app for authentication, but its HTTP server lacks this restriction. Once connected to the dashcam's Wi-Fi…
more
network via the default password ("qwertyuiop"), an attacker can directly access the HTTP server at http://192.168.10.1 without undergoing the pairing process. Additionally, no alert is triggered on the device when an attacker connects, making this intrusion completely silent.
Deeper analysisAI
CVE-2025-30133 is a critical vulnerability in IROAD Dashcam FX-2 devices that enables bypass of the device pairing and registration process. The devices normally require authentication via the "IROAD X View" mobile app, but the built-in HTTP server does not enforce this restriction, allowing unauthorized access. Published on 2025-07-28 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-284 (Improper Access Control), it exposes the device's web interface without proper safeguards.
Any attacker within Wi-Fi range can exploit this by connecting to the dashcam's network using the default password "qwertyuiop" and navigating directly to http://192.168.10.1, skipping the app-based pairing entirely. This grants full access to the HTTP server, potentially enabling high-impact compromise of confidentiality, integrity, and availability, such as data extraction, configuration changes, or disruption. The attack is completely silent, with no alerts triggered on the device.
Advisories in the GitHub repository https://github.com/geo-chen/IROAD detail the issue under Finding #12 (CVE-2025-30133 - Unprotected URL Shortcut) and Finding #7 (Bypass of Device Pairing/Registration for IROAD FX-2). The vendor's firmware download page at https://www.iroadau.com.au/downloads/ is referenced, but no specific patches or mitigations are outlined in the provided sources.
Details
- CWE(s)