CVE-2025-30135CRITICAL 9.4EPSS p39.7%

CVE-2025-30135CVE-2025-30135

Description

An issue was discovered on IROAD Dashcam FX2 devices. Dumping Files Over HTTP and RTSP Without Authentication can occur. It lacks authentication controls on its HTTP and RTSP interfaces, allowing attackers to retrieve sensitive files and video recordings. By connecting to http://192.168.10.1/mnt/extsd/event/, an attacker can download all stored video recordings in an unencrypted manner. Additionally, the RTSP stream on port 8554 is accessible without authentication, allowing an attacker to view live footage.

Scoring

CVSS 3.19.4 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS0.51% probability of exploitation · percentile 39.7% · 2026-06-19T12:03:05Z
Published2025-07-25
Last modified2025-11-06

Underlying weaknesses· 1

CWE-306

References

  1. https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-13---cve-2025-30135-locking-owner-out-of-device-dos
  2. https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-8-dumping-files-over-http-and-rtsp-without-authentication
  3. https://www.iroadau.com.au/downloads/

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-30133
CVE
CVE-2025-30131
CVE
CVE-2025-2345
CVE
CVE-2025-30132
CVE
CVE-2025-30106
CVE
CVE-2025-30123
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.