CVE-2025-6029 (GCVE-0-2025-6029)

Vulnerability from cvelistv5 – Published: 2025-06-13 14:25 – Updated: 2025-06-13 14:52
VLAI?
Title
KIA-branded Aftermarket Generic Smart Keyless Entry System Replay Attack
Summary
Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of release.  CVE Record will be updated once this is clarified.
Severity ?
9.4 (Critical)
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
  • CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
Impacted products
Vendor Product Version
KIA Aftermarket Generic Smart Keyless Entry System Affected: KIA Ecuador Key Fobs version 2022/2023
Create a notification for this product.
Credits
Danilo Erazo
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-6029",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T14:52:08.865188Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T14:52:13.217Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Aftermarket Generic Smart Keyless Entry System",
          "vendor": "KIA",
          "versions": [
            {
              "status": "affected",
              "version": "KIA Ecuador Key Fobs version 2022/2023"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Danilo Erazo"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use of fixed learning codes, one code to lock the car and the other code to unlock it, the\u0026nbsp;Key Fob Transmitter in KIA-branded Aftermarket Generic Smart  Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack.\u003cbr\u003e\u003cbr\u003eManufacture is unknown at the time of release.\u0026nbsp; CVE Record will be updated once this is clarified.\u0026nbsp;"
            }
          ],
          "value": "Use of fixed learning codes, one code to lock the car and the other code to unlock it, the\u00a0Key Fob Transmitter in KIA-branded Aftermarket Generic Smart  Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack.\n\nManufacture is unknown at the time of release.\u00a0 CVE Record will be updated once this is clarified."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        },
        {
          "capecId": "CAPEC-112",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-112 Brute Force"
            }
          ]
        },
        {
          "capecId": "CAPEC-117",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-117 Interception"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-294",
              "description": "CWE-294 Authentication Bypass by Capture-replay",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T14:25:50.597Z",
        "orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
        "shortName": "ASRG"
      },
      "references": [
        {
          "tags": [
            "related"
          ],
          "url": "https://revers3everything.com/unlocking-thousands-of-cars-by-exploiting-learning-codes-from-key-fobs/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://asrg.io/security-advisories/cve-2025-6029-kia-branded-aftermarket-generic-smart-keyless-entry-system-replay-attack/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cul\u003e\u003cli\u003eReplace the current Keyless Entry System (KES) with one that utilizes rolling code\u0026nbsp;technology.\u003c/li\u003e\u003cli\u003eAvoid using key fobs with fixed or learning-code systems.\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "*  Replace the current Keyless Entry System (KES) with one that utilizes rolling code\u00a0technology.\n  *  Avoid using key fobs with fixed or learning-code systems."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "KIA-branded Aftermarket Generic Smart Keyless Entry System Replay Attack",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
    "assignerShortName": "ASRG",
    "cveId": "CVE-2025-6029",
    "datePublished": "2025-06-13T14:25:50.597Z",
    "dateReserved": "2025-06-12T14:11:07.087Z",
    "dateUpdated": "2025-06-13T14:52:13.217Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-6029\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-13T14:52:08.865188Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-13T14:52:10.592Z\"}}], \"cna\": {\"title\": \"KIA-branded Aftermarket Generic Smart Keyless Entry System Replay Attack\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Danilo Erazo\"}], \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}, {\"capecId\": \"CAPEC-112\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-112 Brute Force\"}]}, {\"capecId\": \"CAPEC-117\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-117 Interception\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.4, \"Automatable\": \"NO\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"KIA\", \"product\": \"Aftermarket Generic Smart Keyless Entry System\", \"versions\": [{\"status\": \"affected\", \"version\": \"KIA Ecuador Key Fobs version 2022/2023\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"*  Replace the current Keyless Entry System (KES) with one that utilizes rolling code\\u00a0technology.\\n  *  Avoid using key fobs with fixed or learning-code systems.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cul\u003e\u003cli\u003eReplace the current Keyless Entry System (KES) with one that utilizes rolling code\u0026nbsp;technology.\u003c/li\u003e\u003cli\u003eAvoid using key fobs with fixed or learning-code systems.\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://revers3everything.com/unlocking-thousands-of-cars-by-exploiting-learning-codes-from-key-fobs/\", \"tags\": [\"related\"]}, {\"url\": \"https://asrg.io/security-advisories/cve-2025-6029-kia-branded-aftermarket-generic-smart-keyless-entry-system-replay-attack/\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Use of fixed learning codes, one code to lock the car and the other code to unlock it, the\\u00a0Key Fob Transmitter in KIA-branded Aftermarket Generic Smart  Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack.\\n\\nManufacture is unknown at the time of release.\\u00a0 CVE Record will be updated once this is clarified.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Use of fixed learning codes, one code to lock the car and the other code to unlock it, the\u0026nbsp;Key Fob Transmitter in KIA-branded Aftermarket Generic Smart  Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack.\u003cbr\u003e\u003cbr\u003eManufacture is unknown at the time of release.\u0026nbsp; CVE Record will be updated once this is clarified.\u0026nbsp;\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-307\", \"description\": \"CWE-307 Improper Restriction of Excessive Authentication Attempts\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-294\", \"description\": \"CWE-294 Authentication Bypass by Capture-replay\"}]}], \"providerMetadata\": {\"orgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"shortName\": \"ASRG\", \"dateUpdated\": \"2025-06-13T14:25:50.597Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-6029\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-13T14:52:13.217Z\", \"dateReserved\": \"2025-06-12T14:11:07.087Z\", \"assignerOrgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"datePublished\": \"2025-06-13T14:25:50.597Z\", \"assignerShortName\": \"ASRG\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.