CVE-2025-30135 is a security vulnerability identified in IROAD Dashcam FX2 devices. The vulnerability arises from the lack of authentication controls on both the HTTP and RTSP interfaces of the device. Specifically, the HTTP interface exposes a directory (http://192.168.10.1/mnt/extsd/event/) that allows unauthenticated attackers to download all stored video recordings in an unencrypted form. This means that any attacker with network access to the device can retrieve sensitive video footage without any credentials. Additionally, the RTSP stream on port 8554 is also accessible without authentication, enabling attackers to view live video feeds in real-time. The absence of authentication on these interfaces represents a critical security flaw, as it compromises both the confidentiality and privacy of the recorded and live video data. Since the data is transmitted unencrypted, it is vulnerable to interception and unauthorized access. The vulnerability does not require user interaction or authentication, making exploitation relatively straightforward for anyone with network access to the device. No CVSS score has been assigned yet, and no patches or mitigations have been officially published at the time of this report. There are no known exploits in the wild currently, but the exposure of sensitive video data and live streams presents a significant risk if exploited.

For European organizations, this vulnerability poses a serious risk to privacy and data protection compliance, especially under regulations such as the GDPR, which mandates strict controls over personal data, including video recordings. Organizations using IROAD Dashcam FX2 devices in fleet management, logistics, transportation, or security operations could have sensitive footage exposed, potentially revealing confidential operational details or personally identifiable information (PII) of employees, customers, or third parties. The ability to access live streams without authentication could also enable real-time surveillance by unauthorized parties, leading to espionage or physical security risks. The unencrypted transmission of data further increases the risk of interception by malicious actors within the network. This could lead to reputational damage, legal liabilities, and financial penalties for affected organizations. The vulnerability also undermines trust in the security of IoT devices deployed in critical business functions. Given that exploitation does not require authentication or user interaction, the threat can be realized by insiders or external attackers who gain network access, including through compromised Wi-Fi or VPN connections.

Immediate mitigation steps include isolating the affected dashcam devices on segmented, secured networks with strict access controls to limit exposure to trusted personnel only. Organizations should disable or restrict access to the HTTP and RTSP interfaces if possible, or place them behind VPNs or firewalls that enforce authentication and encryption. Network monitoring should be implemented to detect unauthorized access attempts to the device IP and RTSP port 8554. If available, firmware updates or patches from the vendor should be applied promptly once released. In the absence of official patches, organizations should consider replacing vulnerable devices with alternatives that enforce proper authentication and encryption. Additionally, encrypting network traffic using VPN tunnels or secure protocols can reduce the risk of interception. Regular audits of IoT device configurations and network segmentation policies are recommended to prevent similar vulnerabilities. Finally, organizations should review and update their incident response plans to address potential data breaches involving video footage.