CVE-2025-6030
9.4
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N
Summary
Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack.
Research was completed on the 2024 KIA Soluto. Attack confirmed on other KIA Models in Ecuador.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Autoeastern | Cyclone Matrix TRF | 2024 <= 2025 | affected |
Weaknesses
- CWE-307: CWE-307 Improper Restriction of Excessive Authentication Attempts
- CWE-294: CWE-294 Authentication Bypass by Capture-replay
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://revers3everything.com/unlocking-thousands-of-cars-by-exploiting-learning-codes-from-key-fobs/
- https://asrg.io/security-advisories/cve-2025-6030-autoeastern-smart-keyless-entry-system-replay-attack/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.