关键漏洞信息 Finding 1: CVE-2025-30125 - Same default credentials and limited password combinations Vulnerability Type: Insecure Permissions Vendor of Product: Marbella Affected Product Code Base: KR6, KRX Affected Component: Weak password strength Attack Type: Remote Impact Code Execution: False Impact Information Disclosure: True Description: All dashcams shipped with the same default credentials of 12345678 which creates a "honeypot" webapp. For users who change their passwords, it's limited to 8 characters. According to research, an 8-character password takes a maximum of 8 hours to be cracked on an AWS box. Finding 2: CVE-2025-30127 - Video recordings open to being downloaded via ports 7777, 7778, 7779 Vulnerability Type: Insecure Permissions Vendor of Product: Marbella Affected Product Code Base: KR6, KRX Affected Component: Unauthenticated access downloading of sensitive media files Attack Type: Remote Impact Code Execution: False Impact Information Disclosure: True Description: Dashcam allows remote attackers nearby to connect to the dashcam and dump all sensitive media files. Finding 3: CVE-2025-30126 - Settings can be changed without any other forms of authentication Vulnerability Type: Insecure Access Control Vendor of Product: Marbella Affected Product Code Base: KR6, KRX Affected Component: Unauthenticated configuration changes Attack Type: Remote Impact Code Execution: True Impact Information Disclosure: True Description: Via port 7777 without any need to press or press a physical button, a remote attacker can disable recording/delete recordings or even disable battery protection to cause the battery to eventually drain the car from being used. While all these settings are changed, there are no indications or sounds on the dashcam to alert the dashcam owner that someone else is making these changes. Finding 4: CVE-2025-30124 - Passwords are stored in plaintext and can be retrieved with physical contact Vulnerability Type: Insecure Access Control Vendor of Product: Marbella Affected Product Code Base: KR6, KRX Affected Component: Exposed passwords in plaintext Attack Type: Physical Impact Code Execution: False Impact Information Disclosure: True Description: When a new SD card is plugged into the dashcam, the existing password is written onto the SD card in plaintext automatically. An attacker with temporary physical access to the dashcam, either without the SD card, can retrieve the dashcam's wifi password in plaintext.