Cyber Posture

CVE-2025-30139

Critical

Published: 18 March 2025

Published
18 March 2025
Modified
01 July 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 47.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30139 is a critical-severity Use of Default Credentials (CWE-1392) vulnerability in Gnetsystem G-Onx Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001) and 8 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-18 Wireless Access good match
prevent

AC-18 mandates secure wireless access configurations including authentication and encryption, directly preventing unauthorized connections to the dashcam's fixed-SSID network with default credentials.

IA-5 Authenticator Management good match
prevent

IA-5 requires management of authenticators to prohibit defaults and enforce strong, changeable credentials, addressing the unchangeable default Wi-Fi credentials core to this CVE.

SC-40 Wireless Link Protection partial match
prevent

SC-40 implements cryptographic protections for wireless links, mitigating traffic sniffing by attackers who connect using default credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1025 Data from Removable Media Collection
Adversaries may search connected removable media on computers they have compromised to find files of interest.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
attack.mitre.org →
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
attack.mitre.org →
Why these techniques?

Default unchangeable WiFi credentials (T1078.001) and hardcoded credentials (T1552.001) enable unauthorized access, facilitating network sniffing (T1040), MAC impersonation (T1656), data collection from system/removable media (T1005, T1025), info discovery (T1082), file deletion (T1070.004), and endpoint DoS via battery drain (T1499).

NVD Description

An issue was discovered on G-Net Dashcam BB GONX devices. Default credentials for SSID cannot be changed. It broadcasts a fixed SSID with default credentials that cannot be changed. This allows any nearby attacker to connect to the dashcam's network…

more

without restriction. Once connected, an attacker can sniff on connected devices such as the user's smartphone. The SSID is also always broadcasted.

Deeper analysisAI

CVE-2025-30139 is a high-severity vulnerability (CVSS 3.1 score of 9.8) affecting G-Net Dashcam BB GONX devices, published on 2025-03-18. The issue stems from unchangeable default credentials for the device's Wi-Fi SSID, which is fixed and always broadcasted. This configuration, linked to CWE-1392, prevents users from securing the network with custom credentials, exposing the dashcam's wireless interface to unauthorized access.

Any nearby attacker within Wi-Fi range can exploit this vulnerability with no privileges, authentication, or user interaction required (AV:N/AC:L/PR:N/UI:N). Upon connecting to the dashcam's network using the default credentials, the attacker gains unrestricted access and can sniff traffic from other connected devices, such as the user's smartphone, potentially compromising sensitive data in transit.

References for further details include the GitHub repository at https://github.com/geo-chen/GNET and the product page at https://www.gnetsystem.com/eng/product/list?viewMode=view&idx=246&ca_id=0201, though no specific advisories on patches or mitigations are detailed in the available information.

Details

CWE(s)
CWE-1392

Affected Products

gnetsystem
g-onx firmware
all versions

CVEs Like This One

CVE-2025-30142Same product: Gnetsystem G-Onx
CVE-2025-30141Same product: Gnetsystem G-Onx
CVE-2025-30140Same product: Gnetsystem G-Onx
CVE-2025-23012Shared CWE-1392
CVE-2025-8731Shared CWE-1392
CVE-2026-26341Shared CWE-1392
CVE-2025-1160Shared CWE-1392
CVE-2025-2398Shared CWE-1392
CVE-2025-54756Shared CWE-1392
CVE-2025-10542Shared CWE-1392

References