Platform
other
Component
redbend-service
Opgelost in
283.0.1
CVE-2025-32057 describes a security vulnerability in the Bosch Infotainment ECU found in the Nissan Leaf ZE1 (2020). This vulnerability stems from a failure to verify the root certificate during communication with the Redbend backend server, allowing for potential man-in-the-middle attacks. The vulnerability has a CVSS score of 6.5 (MEDIUM) and is addressed by upgrading to firmware version 283.0.1.
An attacker exploiting this vulnerability could potentially impersonate the Redbend backend server, intercepting and manipulating over-the-air (OTA) updates delivered to the vehicle's infotainment system. This could lead to the installation of malicious software, compromising vehicle functionality and potentially enabling unauthorized access to sensitive data. The attacker could inject malicious code into the update process, leading to persistent compromise of the infotainment system. This could include altering navigation data, injecting advertisements, or even gaining control of vehicle functions, depending on the capabilities of the infotainment system.
This vulnerability was first identified in the Nissan Leaf ZE1 manufactured in 2020. There is currently no public proof-of-concept (POC) available, but the potential for exploitation is considered medium due to the relatively straightforward nature of man-in-the-middle attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public disclosure occurred on 2026-01-22.
Nissan Leaf ZE1 vehicles manufactured in 2020 are directly at risk. Vehicles that have undergone aftermarket modifications to the infotainment system, particularly those involving custom firmware or network configurations, may be at increased risk. Shared vehicle fleets or rental car services utilizing the Nissan Leaf ZE1 are also potentially vulnerable.
disclosure
Exploit Status
EPSS
0.01% (0% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-32057 is to upgrade the vehicle's infotainment ECU firmware to version 283.0.1 or later. Nissan should release an official OTA update to address this issue. Until the update is available, consider isolating the vehicle from untrusted networks to minimize the risk of interception. While a full rollback is not feasible, ensure that any third-party applications or modifications to the infotainment system are thoroughly vetted to prevent the introduction of malicious code. Monitor network traffic for suspicious connections to Redbend servers.
Actualiseer de SSL/TLS configuratie van de Redbend service om de verificatie van het server root certificaat in te schakelen. Dit voorkomt dat een aanvaller de Redbend backend server kan nadoen met behulp van een zelf-ondertekend certificaat. Raadpleeg de documentatie van de fabrikant van de Infotainment ECU voor specifieke instructies over hoe de SSL/TLS certificaatverificatie correct te configureren.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-32057 is a medium-severity vulnerability affecting the Bosch Infotainment ECU in the Nissan Leaf ZE1 (2020) that allows attackers to impersonate Redbend servers due to a lack of SSL certificate verification.
If you own a Nissan Leaf ZE1 manufactured in 2020, you may be affected. Check for available firmware updates from Nissan to mitigate the risk.
Upgrade the vehicle's infotainment ECU firmware to version 283.0.1 or later. Monitor Nissan's official channels for update availability.
There are currently no confirmed reports of active exploitation, but the potential for exploitation exists due to the vulnerability's nature.
Refer to Nissan's official website or contact your local Nissan dealership for the latest security advisories and firmware updates related to CVE-2025-32057.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.