CVE-2025-30141

An issue was discovered on G-Net Dashcam BB GONX devices. One can Remotely Dump Video Footage and the Live Video Stream. It exposes API endpoints on ports 9091 and 9092 that allow remote access to recorded and live video feeds. An attacker who connects to the dashcam's network can retrieve all stored recordings and convert them from JDR format to MP4. Additionally, port 9092's RTSP stream can be accessed remotely, allowing real-time video feeds to be extracted without the owner's knowledge.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/geo-chen/GNET	Third Party Advisory
https://www.gnetsystem.com/eng/product/list?viewMode=view&idx=246&ca_id=0201	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:gnetsystem:g-onx_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:gnetsystem:g-onx:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-18 20:15

Updated : 2025-07-01 21:04

NVD link : CVE-2025-30141

Mitre link : CVE-2025-30141

CVE.ORG link : CVE-2025-30141

JSON object : View

Products Affected

gnetsystem

g-onx
g-onx_firmware

CWE

CWE-284

Improper Access Control

{"id": "CVE-2025-30141", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-03-18T20:15:26.693", "references": [{"url": "https://github.com/geo-chen/GNET", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.gnetsystem.com/eng/product/list?viewMode=view&idx=246&ca_id=0201", "tags": ["Product"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on G-Net Dashcam BB GONX devices. One can Remotely Dump Video Footage and the Live Video Stream. It exposes API endpoints on ports 9091 and 9092 that allow remote access to recorded and live video feeds. An attacker who connects to the dashcam's network can retrieve all stored recordings and convert them from JDR format to MP4. Additionally, port 9092's RTSP stream can be accessed remotely, allowing real-time video feeds to be extracted without the owner's knowledge."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en los dispositivos G-Net Dashcam BB GONX. Se pueden volcar de forma remota secuencias de v\u00eddeo y transmisiones de v\u00eddeo en directo. Esto expone los endpoints de la API en los puertos 9091 y 9092, lo que permite el acceso remoto a las transmisiones de v\u00eddeo grabadas y en directo. Un atacante que se conecta a la red de dashcam puede recuperar todas las grabaciones almacenadas y convertirlas del formato JDR a MP4. Adem\u00e1s, se puede acceder remotamente a la transmisi\u00f3n RTSP del puerto 9092, lo que permite extraer transmisiones de v\u00eddeo en tiempo real sin el conocimiento del propietario."}], "lastModified": "2025-07-01T21:04:38.610", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:gnetsystem:g-onx_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2120C516-F31B-406B-BC9A-4397D10EDDA3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:gnetsystem:g-onx:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D2E9038F-6802-4704-805F-FC76FD268CCE"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}