Serious security flaws found threatening vehicle safety, Kaspersky shares its findings

Earlier today, Kaspersky presented the results of a security audit that exposed a significant security flaw enabling unauthorized access to all connected vehicles of one automotive manufacturer. The announcement came at the final day of the Security Analyst Summit 2025, which MENA TECH was attending as the exclusive Middle East media partner.

By exploiting a zero-day vulnerability in a contractor’s publicly accessible application, it was possible to take control of the vehicle’s telematics system, jeopardizing the physical safety of drivers and passengers. For example, attackers could force gear shifts or shut off the engine mid-driving. The findings emphasize potential cybersecurity weaknesses in the automotive industry, prompting calls for stronger security measures.

The car manufacturer’s side

The security audit was performed remotely and focused on the manufacturer’s publicly accessible services and the contractor’s infrastructure. Kaspersky found several exposed web services.

First, by exploiting a zero-day SQL injection vulnerability in the wiki application (a web-based platform that allows users to collaboratively create, edit, and manage content), the researchers managed to extract a list of users on the contractor’s side along with password hashes, some of which were guessed due to a weak password policy.

This breach allowed access to the contractor’s issue-tracking system, a software tool used to manage and track tasks, bugs, and issues within a project. It contained sensitive configuration details about the manufacturer’s telematics infrastructure, including a file with hashed passwords of users of one of the manufacturer’s vehicle telematics servers.

In a modern car, telematics involves collecting, transmitting, analyzing, and using various data (such as speed and geolocation) from connected vehicles. 

The connected vehicle side

On the connected vehicle side, Kaspersky found a misconfigured firewall that exposed internal servers. Using a previously obtained service account password, the researchers accessed the server’s file system and uncovered credentials for another contractor, which gave full control over the telematics infrastructure.

Most alarmingly, the researchers found a firmware-update command that allowed them to upload altered firmware to the Telematics Control Unit (TCU). This gave them access to the vehicle’s CAN (Controller Area Network) bus—a system connecting various parts like the engine and sensors. Subsequently, they accessed other systems, including the engine and transmission. This could enable manipulation of critical vehicle functions, potentially endangering driver and passenger safety.

“The security flaws stem from issues that are quite common in the automotive industry: publicly accessible web services, weak passwords, lack of two-factor authentication (2FA), and unencrypted sensitive data storage. This breach demonstrates how a single weak link in a contractor’s infrastructure can cascade into a full compromise of all of the connected vehicles. The automotive industry must prioritize robust cybersecurity practices, especially for third-party systems, to protect drivers and maintain trust in connected vehicle technologies,” comments Artem Zinenko, Head of Kaspersky ICS CERT Vulnerability Research and Assessment.

Kaspersky advises that contractors limit internet access to web services through VPN, separate services from corporate networks, enforce strict password policies, use 2FA, encrypt sensitive data, and connect logging with a SIEM system for real-time monitoring. 

Furthermore, Kaspersky recommends that the automotive manufacturer restrict access to the telematics platform from the vehicle network segment, use allowlists for network communications, disable SSH password authentication, run services with minimal privileges, verify command authenticity in TCUs, and integrate with SIEMs.