CVE-2025-30072 is a high-severity vulnerability affecting the Tiiwee X1 Alarm System model TWX1HAKV2. The vulnerability allows an attacker to bypass authentication mechanisms through a capture-replay attack. Specifically, an attacker can capture legitimate authentication signals or tokens transmitted by authorized users and replay them to the alarm system to gain unauthorized physical access to protected facilities. This bypass occurs without triggering the alarm, effectively rendering the security system ineffective. The vulnerability is classified under CWE-294, which relates to improper authentication. The CVSS 3.1 base score of 7.6 reflects a high severity, with the vector indicating that the attack can be performed remotely (AV:N), requires low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:R). The impact affects confidentiality and integrity to a low degree but has a high impact on availability, as the alarm system’s ability to detect unauthorized access is compromised. No patches or vendor advisories are currently available, and no known exploits are reported in the wild as of the publication date (May 19, 2025).

For European organizations, this vulnerability poses a significant risk to physical security, especially for facilities relying on the Tiiwee X1 Alarm System TWX1HAKV2 to protect sensitive or critical infrastructure. Successful exploitation could allow unauthorized individuals to enter premises undetected, potentially leading to theft, espionage, sabotage, or harm to personnel. The inability of the alarm system to trigger alerts undermines trust in physical security controls and may lead to increased operational risks and financial losses. Organizations in sectors such as government, finance, healthcare, manufacturing, and critical infrastructure are particularly vulnerable. The capture-replay nature of the attack means that attackers need to be in proximity to capture authentication signals, but once obtained, they can bypass alarms without raising suspicion. This could also facilitate insider threats or targeted attacks by adversaries with physical access to the vicinity of the alarm system.

Given the absence of official patches, European organizations should implement compensating controls immediately. These include: 1) Deploying additional layers of physical security such as CCTV with motion detection and video analytics to detect unauthorized presence independently of the alarm system. 2) Using multi-factor authentication methods for physical access that do not rely solely on replayable signals, such as biometric verification or challenge-response tokens resistant to replay attacks. 3) Monitoring and logging all access attempts and correlating with other security systems to detect anomalies. 4) Restricting physical proximity to the alarm system’s communication channels to prevent attackers from capturing authentication data, for example by shielding wireless signals or relocating receivers. 5) Conducting regular security audits and penetration testing focused on physical security controls. 6) Engaging with the vendor or suppliers to obtain updates or firmware patches as soon as they become available. 7) Training security personnel to recognize signs of tampering or replay attacks and to respond promptly.