Platform
other
Component
redbend-service
Fixed in
283.0.1
CVE-2025-32057 describes a security vulnerability in the Bosch Infotainment ECU found in the Nissan Leaf ZE1 (2020). This vulnerability stems from a failure to verify the root certificate during communication with the Redbend backend server, allowing for potential man-in-the-middle attacks. The vulnerability has a CVSS score of 6.5 (MEDIUM) and is addressed by upgrading to firmware version 283.0.1.
An attacker exploiting this vulnerability could potentially impersonate the Redbend backend server, intercepting and manipulating over-the-air (OTA) updates delivered to the vehicle's infotainment system. This could lead to the installation of malicious software, compromising vehicle functionality and potentially enabling unauthorized access to sensitive data. The attacker could inject malicious code into the update process, leading to persistent compromise of the infotainment system. This could include altering navigation data, injecting advertisements, or even gaining control of vehicle functions, depending on the capabilities of the infotainment system.
This vulnerability was first identified in the Nissan Leaf ZE1 manufactured in 2020. There is currently no public proof-of-concept (POC) available, but the potential for exploitation is considered medium due to the relatively straightforward nature of man-in-the-middle attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public disclosure occurred on 2026-01-22.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-32057 is to upgrade the vehicle's infotainment ECU firmware to version 283.0.1 or later. Nissan should release an official OTA update to address this issue. Until the update is available, consider isolating the vehicle from untrusted networks to minimize the risk of interception. While a full rollback is not feasible, ensure that any third-party applications or modifications to the infotainment system are thoroughly vetted to prevent the introduction of malicious code. Monitor network traffic for suspicious connections to Redbend servers.
Update the SSL/TLS configuration of the Redbend service to enable server root certificate verification. This will prevent an attacker from impersonating the Redbend backend server using a self-signed certificate. Refer to the Infotainment ECU system manufacturer's documentation for specific instructions on how to correctly configure SSL/TLS certificate verification.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-32057 is a medium-severity vulnerability affecting the Bosch Infotainment ECU in the Nissan Leaf ZE1 (2020) that allows attackers to impersonate Redbend servers due to a lack of SSL certificate verification.
If you own a Nissan Leaf ZE1 manufactured in 2020, you may be affected. Check for available firmware updates from Nissan to mitigate the risk.
Upgrade the vehicle's infotainment ECU firmware to version 283.0.1 or later. Monitor Nissan's official channels for update availability.
There are currently no confirmed reports of active exploitation, but the potential for exploitation exists due to the vulnerability's nature.
Refer to Nissan's official website or contact your local Nissan dealership for the latest security advisories and firmware updates related to CVE-2025-32057.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.