CVE-2025-30135 – IROAD Dashcam FX2 devices lack authentication o... (How to Fix)

Q: What is the severity of CVE-2025-30135?

CVE-2025-30135 has a CVSS score of 9.4 (CRITICAL). IROAD Dashcam FX2 devices lack authentication on HTTP and RTSP interfaces, allowing attackers to download stored video recordings and view live footage without credentials. This affects all users of these dashcams, exposing sensitive driving data and personal information.

📋 TL;DR

IROAD Dashcam FX2 devices lack authentication on HTTP and RTSP interfaces, allowing attackers to download stored video recordings and view live footage without credentials. This affects all users of these dashcams, exposing sensitive driving data and personal information.

💻 Affected Systems

Products:

IROAD Dashcam FX2

Versions: All versions prior to patch (specific version unknown)

Operating Systems: Embedded dashcam firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Devices are vulnerable out-of-the-box with default configurations. The HTTP interface on 192.168.10.1 and RTSP on port 8554 are accessible without credentials.

📦 What is this software?

Fx2 Firmware by Iroadau

View all CVEs affecting Fx2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all recorded video data, including sensitive locations, license plates, and personal conversations, potentially used for stalking, blackmail, or corporate espionage.

🟠

Likely Case

Unauthorized access to driving footage revealing personal routines, home/work locations, and potentially incriminating evidence from accidents or incidents.

🟢

If Mitigated

Limited exposure if devices are isolated from untrusted networks, though physical proximity attacks remain possible.

🌐 Internet-Facing: HIGH - If devices are exposed to the internet, attackers worldwide can access footage without authentication.

🏢 Internal Only: MEDIUM - Local network attackers or anyone with physical proximity to the dashcam's WiFi can access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web browser or RTSP client. No special tools or skills needed. Public GitHub repository demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.iroadau.com.au/downloads/

Restart Required: No

Instructions:

Check vendor website for firmware updates. If available, download and install following manufacturer instructions. No specific patch version is documented.

🔧 Temporary Workarounds

Network Isolation

all

Isolate dashcam on separate VLAN or network segment without internet access

Firewall Rules

linux

Block external access to dashcam IP addresses and ports 80, 8554

iptables -A INPUT -s 192.168.10.1 -j DROP
iptables -A INPUT -p tcp --dport 8554 -j DROP

🧯 If You Can't Patch

Physically disconnect dashcam from networks when not in use
Use dashcam only in trusted environments with no untrusted devices on same network

🔍 How to Verify

Check if Vulnerable:

Access http://192.168.10.1/mnt/extsd/event/ in browser or connect to rtsp://192.168.10.1:8554/live with VLC. If accessible without credentials, device is vulnerable.

Check Version:

Check device settings menu or vendor documentation for firmware version

Verify Fix Applied:

Attempt same access methods after applying fixes. Successful access indicates still vulnerable.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to /mnt/extsd/event/
Multiple RTSP connection attempts from unauthorized IPs

Network Indicators:

Traffic to 192.168.10.1:80 or :8554 from unexpected sources
Large data transfers from dashcam IP

SIEM Query:

source_ip="192.168.10.1" AND (dest_port=80 OR dest_port=8554) AND NOT user_agent="expected-agent"

📊 Metadata

CVE ID: CVE-2025-30135

CVSS v3 Score: 9.4 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-306

EPSS Score: 0.09% exploit probability (26.1th percentile)

Published: July 25, 2025

Last Updated: November 6, 2025

🔗 References

https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-13---cve-2025-30135-locking-owner-out-of-device-dos Third Party Advisory
https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-8-dumping-files-over-http-and-rtsp-without-authentication Third Party Advisory
https://www.iroadau.com.au/downloads/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30135, you might also want to check these: