CVE-2025-32058:

Overview

A critical vulnerability has been identified in the Bosch Infotainment Electronic Control Unit (ECU) used in certain vehicles. This flaw allows an attacker who has already compromised the vehicle’s main infotainment computer to take control of a critical secondary processor. Once in control, the attacker can send arbitrary commands directly to the vehicle’s internal Controller Area Network (CAN bus), which controls core vehicle functions.

Vulnerability Explained

The infotainment system uses two main chips: a primary Application Processor (the main SoC) and a secondary microcontroller (the RH850) that handles direct communication with the car’s CAN bus. These two chips communicate using a custom protocol.

The vulnerability exists within the RH850 microcontroller. It does not properly validate the instructions it receives from the main infotainment processor. If an attacker gains control of the main infotainment system (for example, via a malicious app or a compromised USB update), they can send a specially crafted request to the RH850. This malicious request exploits the validation flaw to execute the attacker’s own code on the RH850 chip, effectively bypassing its security.

Potential Impact

The impact of this vulnerability is severe. By executing code on the RH850, an attacker gains the ability to forge and inject arbitrary messages onto the vehicle’s CAN bus. This network is responsible for communications between critical systems like the brakes, steering, engine, and airbags. Consequently, a successful attack could lead to:

• Unauthorized control of vehicle functions (e.g., disabling brakes, altering speedometer readings).
• A complete loss of driver control over safety-critical systems.
• A permanent denial-of-service, rendering the vehicle inoperable. This vulnerability was first confirmed in the 2020 Nissan Leaf ZE1 and may affect other vehicle models using the same Bosch ECU component.

Remediation and Mitigation Advice

For Vehicle Owners:

1. Contact Your Dealer: Immediately reach out to your vehicle manufacturer or authorized dealership. Inquire if a software update or recall (often called a Technical Service Bulletin or TSB) is available to patch the ECU firmware.
2. Apply Updates Promptly: Always install official infotainment system updates as soon as they are offered by the manufacturer. These often contain critical security patches.
3. Practice Caution: Be wary of connecting unknown USB devices or installing unverified third-party applications on your vehicle’s infotainment system.

For Fleet and Security Managers:

1. Asset Identification: Work with manufacturers to identify all affected vehicle models in your fleet.
2. Patch Management: Establish a strict process to ensure all vehicular software updates are applied across the entire fleet without delay.
3. Network Segmentation: Where possible, ensure vehicle diagnostic and update networks are logically separated from general corporate IT networks to limit potential attack paths.

There is no known workaround for this flaw; a firmware update from the manufacturer is required to remediate the vulnerability at its source.