9.8

CVE-2025-30133

EPSS 0.09%
Veröffentlicht 28.07.2025 00:00:00
Zuletzt bearbeitet 06.11.2025 20:07:15
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered on IROAD Dashcam FX2 devices. Bypass of Device Pairing/Registration can occur. It requires device registration via the "IROAD X View" app for authentication, but its HTTP server lacks this restriction. Once connected to the dashcam's Wi-Fi network via the default password ("qwertyuiop"), an attacker can directly access the HTTP server at http://192.168.10.1 without undergoing the pairing process. Additionally, no alert is triggered on the device when an attacker connects, making this intrusion completely silent.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Iroadau ≫ Fx2 Firmware Version-

Iroadau ≫ Fx2 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.253

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-7-bypass-of-device-pairingregistration-for-iroad-fx2

Third Party Advisory

https://www.iroadau.com.au/downloads/

Product

https://github.com/geo-chen/IROAD/blob/main/README.md#finding-12---cve-2025-30133-unprotected-url-shortcut

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-30133

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-30133

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-30133

EUVD