At Security Analyst Summit 2025 in October, Kaspersky presented results of a security audit that exposed a significant security flaw enabling unauthorised access to all connected vehicles of one automotive manufacturer, said a press release.
Kaspersky researchers uncovered a critical security breach in a car manufacturer’s telematics system caused by a zero-day vulnerability in a contractor’s publicly accessible application.
Exploiting this flaw allowed remote control over connected vehicles, including dangerous actions such as forcing gear shifts or shutting off engines mid-drive, it said.
The breach originated from SQL injection vulnerability in the contractor’s wiki application, enabling access to user credentials and sensitive configuration data linked to the manufacturer’s telematics infrastructure.
Further investigation revealed a misconfigured firewall and weak credentials, granting full control over the telematics system and access to the vehicle’s Controller Area Network (CAN) bus—making it possible to manipulate key vehicle functions.
‘This breach demonstrates how a single weak link in a contractor’s infrastructure can cascade into a full compromise of all of the connected vehicles. The automotive industry must prioritize robust cybersecurity practices, especially for third-party systems, to protect drivers and maintain trust in connected vehicle technologies,’ commented Artem Zinenko, head of Kaspersky ICS CERT Vulnerability Research and Assessment.
