CVE-2025-30114

An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Bypassing of Device Pairing can occur. The pairing mechanism relies solely on the connecting device's MAC address. By obtaining the MAC address through network scanning and spoofing it, an attacker can bypass the authentication process and gain full access to the dashcam's features without proper authorization.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/geo-chen/Hella	Third Party Advisory
https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26	Permissions Required

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:hella:dr_820_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:hella:dr_820:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-18 15:16

Updated : 2025-05-22 19:46

NVD link : CVE-2025-30114

Mitre link : CVE-2025-30114

CVE.ORG link : CVE-2025-30114

JSON object : View

Products Affected

hella

dr_820
dr_820_firmware

CWE

CWE-287

Improper Authentication

{"id": "CVE-2025-30114", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2025-03-18T15:16:02.583", "references": [{"url": "https://github.com/geo-chen/Hella", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26", "tags": ["Permissions Required"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Bypassing of Device Pairing can occur. The pairing mechanism relies solely on the connecting device's MAC address. By obtaining the MAC address through network scanning and spoofing it, an attacker can bypass the authentication process and gain full access to the dashcam's features without proper authorization."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Forvia Hella HELLA Driving Recorder DR 820. Es posible que se omita el emparejamiento del dispositivo. El mecanismo de emparejamiento se basa \u00fanicamente en la direcci\u00f3n MAC del dispositivo conectado. Al obtener la direcci\u00f3n MAC mediante escaneo de red y falsificarla, un atacante puede eludir el proceso de autenticaci\u00f3n y obtener acceso completo a las funciones de dashcam sin la debida autorizaci\u00f3n."}], "lastModified": "2025-05-22T19:46:19.973", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hella:dr_820_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53788D10-80DC-4A88-9472-D8D0CD20A457"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hella:dr_820:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "ADEE1CDA-ADA2-46F0-B689-C3E75A6C40D3"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}