CVE-2025-30137
Published: 18 March 2025
Summary
CVE-2025-30137 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Gnetsystem (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Accounts (T1078.003); ranked at the 48.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates secure management of authenticators including changing defaults and protecting from disclosure, directly preventing hardcoded credentials embedded in the GNET APK.
AC-2 requires managed lifecycle for accounts including creation, modification, and disabling, prohibiting static unmanaged hardcoded accounts like adim/000000 and admin/tibet.
SC-41 monitors and controls access to specific ports such as 9091 and 9092, blocking unauthorized connections to the dashcam API endpoints even with known credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded credentials enable use of valid local device accounts (T1078.003) to exploit exposed API endpoints (T1190).
NVD Description
An issue was discovered in the G-Net GNET APK 2.6.2. Hardcoded credentials exist in in APK for ports 9091 and 9092. The GNET mobile application contains hardcoded credentials that provide unauthorized access to the dashcam's API endpoints on ports 9091…
more
and 9092. Once the GNET SSID is connected to, the attacker sends a crafted authentication command with TibetList and 000000 to list settings of the dashcam at port 9091. There's a separate set of credentials for port 9092 (stream) that is also exposed in cleartext: admin + tibet. For settings, the required credentials are adim + 000000.
Deeper analysisAI
CVE-2025-30137 is a high-severity vulnerability (CVSS 9.8) in the G-Net GNET APK version 2.6.2, stemming from hardcoded credentials (CWE-798) embedded in the mobile application. These credentials grant unauthorized access to the dashcam's API endpoints exposed on ports 9091 (settings) and 9092 (stream). Specifically, the credentials "adim" and "000000" work for settings on port 9091, while "admin" and "tibet" apply to the stream on port 9092.
An attacker with network proximity can exploit this by connecting to the GNET SSID and sending a crafted authentication command, such as "TibetList" paired with "000000", to port 9091 to enumerate dashcam settings. No privileges, user interaction, or complex prerequisites are required (AV:N/AC:L/PR:N/UI:N), enabling remote exploitation over the network. Successful access allows high confidentiality, integrity, and availability impacts, potentially permitting attackers to view live streams, modify settings, or disrupt dashcam operations.
References include a GitHub repository at https://github.com/geo-chen/GNET detailing the issue and the vendor product page at https://www.gnetsystem.com/eng/product/list?viewMode=view&idx=246&ca_id=0201, though no specific patches or mitigation steps are outlined in available details.
Details
- CWE(s)