CVE-2025-30183 Overview
CVE-2025-30183 affects the CyberData 011209 SIP Emergency Intercom, an IP-based communication device used in industrial and emergency notification deployments. The device does not properly store or protect web server administrator credentials. A remote unauthenticated attacker reachable over the network can retrieve administrative credentials from the device. CISA documented the issue in ICS Advisory ICSA-25-155-01. The weakness maps to [CWE-522] Insufficiently Protected Credentials.
Critical Impact
Remote unauthenticated attackers can recover web administrator credentials, enabling full takeover of the intercom and the emergency notification workflows it supports.
Affected Products
- CyberData 011209 SIP Emergency Intercom (hardware)
- CyberData 011209 SIP Emergency Intercom firmware
- Deployments exposing the device web management interface to untrusted networks
Discovery Timeline
- 2025-06-09 - CVE-2025-30183 published to the National Vulnerability Database
- 2025-06-09 - CISA publishes ICS Advisory ICSA-25-155-01 covering the issue
- 2025-08-12 - Last updated in NVD database
Technical Details for CVE-2025-30183
Vulnerability Analysis
The CyberData 011209 SIP Emergency Intercom stores web administrator credentials without sufficient protection. The device exposes credential material in a manner that allows recovery without authentication. The flaw maps to [CWE-522] Insufficiently Protected Credentials, a category that covers plaintext storage, reversible encoding, and credentials embedded in retrievable configuration objects.
Successful exploitation grants the attacker access to the web administration interface. From that interface, an attacker can change SIP configuration, redirect calls, disable emergency notification routing, alter audio output, or pivot to adjacent devices that share the recovered password. The CVSS vector identifies network attack reach, no required privileges, and no user interaction, with the impact concentrated on confidentiality of the credential store.
Root Cause
The firmware fails to apply a one-way cryptographic transformation or hardware-backed storage to administrator credentials. Credential material is accessible through the device's web service surface without prior authentication. Embedded device vendors commonly fall into this pattern by reusing configuration export endpoints, exposing backup files, or returning credentials inside diagnostic responses.
Attack Vector
An attacker with network reachability to the intercom's HTTP management service issues unauthenticated requests to retrieve stored credentials. Once recovered, the attacker logs in as administrator and reconfigures the device. No verified public proof-of-concept code is available. Refer to the CISA ICS Advisory ICSA-25-155-01 for vendor-coordinated technical details.
// No verified exploitation code is publicly available for CVE-2025-30183.
// See CISA ICSA-25-155-01 for vendor-coordinated technical details.
Detection Methods for CVE-2025-30183
Indicators of Compromise
- Unexpected administrator logins to the CyberData 011209 web interface from external or non-management subnets
- Changes to SIP server, dial plan, or audio output configuration that do not match a change ticket
- HTTP requests to the device targeting configuration export, backup, or diagnostic endpoints from unknown source addresses
Detection Strategies
- Inventory all CyberData 011209 intercoms and identify firmware versions in scope of ICSA-25-155-01
- Capture network flows to and from intercom management interfaces and alert on access outside the operations VLAN
- Compare current device configuration against a known-good baseline at a regular interval
Monitoring Recommendations
- Forward web server and SIP logs from the intercom to a central log platform for review
- Alert on administrator password changes, firmware updates, and new SIP registrations
- Monitor for credential reuse by watching for the device administrator password appearing in authentication attempts against other systems
How to Mitigate CVE-2025-30183
Immediate Actions Required
- Remove the intercom's management interface from any network reachable by untrusted users, including the public internet
- Place the device behind a firewall or management VLAN that restricts HTTP access to authorized administrators
- Rotate the administrator password and any shared credential reused on adjacent devices
- Review device configuration for unauthorized changes to SIP routing or audio output
Patch Information
Review the CISA ICS Advisory ICSA-25-155-01 for vendor remediation guidance and any firmware update applicable to the CyberData 011209 SIP Emergency Intercom. Apply the vendor-provided firmware update once available and confirm the credential storage behavior has changed.
Workarounds
- Segment intercoms onto a dedicated VLAN with access control lists permitting only the management host
- Require VPN access for any remote administration of the device
- Disable any unused HTTP services on the device where the firmware allows
# Example firewall rule restricting access to the intercom management interface
# Replace 10.10.20.0/24 with the management subnet and 10.50.1.25 with the device IP
iptables -A FORWARD -s 10.10.20.0/24 -d 10.50.1.25 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 10.50.1.25 -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
