CVE-2025-30116

An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Remotely Dumping of Video Footage and the Live Video Stream can occur. It allows remote attackers to access and download recorded video footage from the SD card via port 9091. Additionally, attackers can connect to port 9092 to stream the live video feed by bypassing the challenge-response authentication mechanism. This exposes sensitive location and personal data.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:hella:dr_820_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:hella:dr_820:-:*:*:*:*:*:*:*

History

22 May 2025, 19:43

Type Values Removed Values Added
First Time Hella
Hella dr 820
Hella dr 820 Firmware
References () https://github.com/geo-chen/Hella - () https://github.com/geo-chen/Hella - Third Party Advisory
References () https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26 - () https://medium.com/@geochen/cve-draft-hella-driving-recorder-dr-820-ff8c4e2cca26 - Permissions Required
CPE cpe:2.3:h:hella:dr_820:-:*:*:*:*:*:*:*
cpe:2.3:o:hella:dr_820_firmware:-:*:*:*:*:*:*:*

25 Mar 2025, 19:15

Type Values Removed Values Added
Summary
  • (es) Se detectó un problema en Forvia Hella HELLA Driving Recorder DR 820. Puede producirse un volcado remoto de las grabaciones de vídeo y la transmisión en directo. Esto permite a atacantes remotos acceder y descargar las grabaciones de vídeo de la tarjeta SD a través del puerto 9091. Además, los atacantes pueden conectarse al puerto 9092 para transmitir la señal de vídeo en directo evadiendo el mecanismo de autenticación de desafío-respuesta. Esto expone datos confidenciales de ubicación y personales.
CWE CWE-287
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5

18 Mar 2025, 15:16

Type Values Removed Values Added
New CVE

Information

Published : 2025-03-18 15:16

Updated : 2025-05-22 19:43


NVD link : CVE-2025-30116

Mitre link : CVE-2025-30116

CVE.ORG link : CVE-2025-30116


JSON object : View

Products Affected

hella

  • dr_820_firmware
  • dr_820
CWE
CWE-287

Improper Authentication