CVE-2025-30124 is a critical security vulnerability affecting Marbella KR8s Dashcam FF version 2.0.8 devices. The vulnerability arises from the device's insecure handling of user credentials when a new SD card is inserted. Specifically, the dashcam automatically writes the existing user password onto the newly inserted SD card in cleartext without any encryption or protection. This behavior exposes the password to anyone who gains temporary physical access to the dashcam and can swap the SD card. An attacker can then retrieve the password by simply reading the contents of the SD card, potentially compromising the device and any associated accounts or services that use the same credentials. The vulnerability is classified under CWE-312 (Cleartext Storage of Sensitive Information), indicating poor security practices in credential storage. The CVSS v3.1 base score is 9.8, reflecting a critical severity due to the vulnerability's characteristics: it requires no privileges or user interaction, can be exploited remotely via network access (AV:N), and results in high confidentiality, integrity, and availability impacts. Although no known exploits are currently reported in the wild, the ease of exploitation and the sensitive nature of the data exposed make this a significant threat. The lack of available patches or mitigations from the vendor further exacerbates the risk. Dashcams are often used in vehicles for security and evidence collection, and compromise of these devices could lead to unauthorized access to recorded footage, manipulation of data, or broader network compromise if the device is connected to other systems.

For European organizations, especially those in transportation, logistics, law enforcement, and fleet management sectors, this vulnerability poses a substantial risk. Compromise of dashcam credentials could lead to unauthorized access to sensitive video footage, potentially exposing personal data protected under GDPR, such as images of individuals, license plates, and locations. This could result in privacy violations, regulatory fines, and reputational damage. Furthermore, if the dashcams are integrated into broader vehicle telematics or corporate networks, attackers could leverage the compromised credentials to pivot into internal systems, causing operational disruptions or data breaches. The critical severity and ease of exploitation mean that attackers with brief physical access—such as during vehicle maintenance or parking—could extract passwords without detection. This risk is heightened in shared or public vehicle environments common in European urban centers. Additionally, the lack of authentication or user interaction required for exploitation increases the threat surface. Organizations relying on these dashcams must consider the potential for espionage, sabotage, or data theft, which could impact business continuity and compliance obligations.

Given the absence of vendor patches, European organizations should implement immediate compensating controls. First, restrict physical access to vehicles equipped with Marbella KR8s Dashcam FF devices to trusted personnel only, employing secure parking and surveillance measures. Secondly, regularly inspect and monitor SD cards for unauthorized removal or replacement. Organizations should consider disabling automatic writing of passwords to SD cards if device settings allow or replacing the dashcams with models that follow secure credential management practices. Network segmentation is critical; isolate dashcam devices from sensitive internal networks to limit lateral movement if compromised. Employ endpoint detection and response (EDR) tools to monitor for unusual device behavior or unauthorized access attempts. Additionally, enforce strong, unique passwords for dashcam devices and change them frequently to reduce the window of exposure. Educate staff about the risks of physical device tampering and implement strict policies for device handling. Finally, maintain an inventory of affected devices and track firmware updates or vendor advisories for future patches.