The automotive industry is racing to secure software-defined vehicles (SDVs) by strengthening core systems through encrypted communications, fault-isolated architectures, and continuous software updates. But these efforts can be easily undermined by a largely unregulated, fast-growing space: aftermarket devices.
VicOne’s researchers uncovered five zero-day vulnerabilities in two widely used aftermarket peripherals: the CarlinKit CPC200-CCPA (a wireless CarPlay/Android Auto dongle) and the 70mai A510 (a smart dashcam). At a glance, these are:
- CVE-2025-2765: Hard-coded weak Wi-Fi credentials and authentication bypass
- CVE-2025-2763: Remote code execution (RCE) via web upload
- CVE-2025-2764: Arbitrary code execution from external USB drive
- CVE-2025-2762: Missing hardware root of trust
- CVE-2025-2766: Default password authentication bypass
These critical flaws allow attackers to bypass authentication, execute arbitrary code, and establish persistent control over devices positioned at the intersection of a driver’s mobile life and in-vehicle infotainment system (IVI). We estimate that over 85,000 of these devices are currently exposed worldwide, and that number is increasing rapidly.
VicOne’s automotive cybersecurity researchers submitted their findings to Trend Micro’s Zero Day Initiative (ZDI), VicOne’s co-host for Pwn2Own Automotive and long-standing partner in vulnerability discovery and disclosure. Trend ZDI notified the vendors of the planned publication as zero-day vulnerabilities in line with Trend ZDI’s disclosure policy, if no response is received within a specified time frame.
Mapping the zero-day vulnerabilities to the Automotive Threat Matrix
We mapped the zero-days to the Auto-ISAC Automotive Threat Matrix (ATM) to highlight how basic oversights in aftermarket devices can create severe threat pathways within established automotive attack surfaces. This exercise underscores the structured nature of automotive cybersecurity analysis and highlights the need for systematic defenses aligned with recognized threat models.
| CVE | Description | Primary ATM Tactic | Technique Mapping (Source 1.1) | CVSS Score |
|---|---|---|---|---|
| CVE-2025-2765 | The CarlinKit CPC200-CCPA dongle uses a hard-coded and weak Wi-Fi password. Once an attacker connects to this network, they can access the configuration webpage without any additional authentication. From there, the attacker can upload a specially crafted update package, enabling remote code execution and root privilege escalation. | Initial Access | Unsecured Credentials (ATM-T0040) and Aftermarket, Customer, or Dealer Equipment (ATM-T0010) | 8.8 (High) |
| CVE-2025-2763 | The device’s firmware update process does not verify the cryptographic signature, allowing RCE via a malicious package uploaded to the web UI. | Execution | Command and Scripting Interpreter (ATM-T0018) and Exploit Isolated Execution Environment Vulnerability (ATM-T0027) | 6.8 (Medium) |
| CVE-2025-2764 | The device accepts firmware update files from a USB drive without performing any signature verification, allowing arbitrary code execution with root privileges. | Execution | Exploit via Removable Media (ATM-T0013) and Native API (ATM-T0019) | 8.0 (High) |
| CVE-2025-2762 | The device’s bootloader and kernel lack verification, enabling permanent privilege escalation and persistent backdoors that survive reboots. | Persistence and Privilege Escalation | Modify OS Kernel, Boot Partition, or System Partition (ATM-T0022)and Abuse Elevation Control Mechanism (ATM-T0024) | 7.8 (High) |
Table 1. CarlinKit CPC200-CCPA zero-day vulnerabilities mapped to ATM
| CVE | Description | Primary ATM Tactic | Technique Mapping (Source 1.1) | CVSS Score |
|---|---|---|---|---|
| CVE-2025-2766 | The 70mai A51 dashcam uses a fixed default Wi-Fi password that cannot be changed, allowing unauthorized file system access. | Initial Access and Collection | Unsecured Credentials (ATM-T0040) and Data from Local System (ATM-T0059) | 8.8 (High) |
Table 2. 70mai A510 zero-day vulnerability mapped to the ATM
Real-world attack scenarios
The following scenarios show how the zero-day vulnerabilities become real attacks.
Scenario 1: The “Drive-by” data interception
ATM Tactics: Initial Access, Collection
An attacker targets a public parking lot, airport garage, or even a congested highway.
Reconnaissance & Initial Access: The attacker passively scans for Wi-Fi networks broadcasting known SSIDs of the affected devices. By using hard-coded or default passwords (ATM-T0040: Unsecured Credentials), they connect to the device’s local network without needing physical access to the vehicle.
Collection:
- 70mai dashcam: Once connected, the attacker can immediately download or overwrite sensitive video recordings, GPS logs, and timestamps (ATM-T0059: Data from Local System). This compromises driver privacy and the integrity of potential legal evidence.
- CarlinKit dongle: The attacker can monitor the unencrypted data stream passing through the dongle, potentially capturing data mirrored from the driver’s phone (ATM-T0038: Network Sniffing).
Scenario 2: Supply chain compromise and permanent backdoors
ATM Tactics: Execution, Persistence
This scenario leverages the critical flaws in firmware verification to establish permanent, undetectable control over the device.
Execution: An attacker creates a weaponized “performance-boosting” firmware update and distributes it through enthusiast forums or via targeted social engineering. Because the device lacks signature validation, it accepts and executes the malicious update with root privileges (ATM-T0013: Exploit via Removable Media or ATM-T0018: Command and Scripting Interpreter).
Persistence: The attacker exploits the device’s Missing Root of Trust (ATM-T0024: Abuse Elevation Control Mechanism) to install a permanent module in the boot partition. This backdoor survives factory resets and standard firmware updates, ensuring the compromise persists indefinitely (ATM-TA0004: Persistence).
Command and Control (C2): Once established, the compromised device can exfiltrate data, capture audio or contextual information from the vehicle environment, or remain dormant until it receives remote commands (ATM-TA0011: Command and Control).
Scenario 3: Lateral movement and IVI system threat
ATM Tactics: Lateral Movement, Affect Vehicle Function
A compromised aftermarket device serves as a dangerous bridge, connecting an insecure external network to the vehicle’s IVI systems.
Lateral Movement: With root access on the dongle, the attacker can begin scanning and probing the IVI system through the USB connection (ATM-T0044: Network Service Scanning).
Affect Vehicle Function (Indirect): By compromising the IVI, the attacker could manipulate information displayed to the driver, leading to distraction or confusion. In more complex vehicles, where the IVI serves as a gateway to other subsystems, such a compromise may yield pathways that indirectly affect vehicle functions, violating integrity and safety principles (ATM-T0067: Abuse Standard Diagnostic Protocol for Affecting Vehicle Function).
Conclusion: The need for supply chain governance
The zero-day vulnerabilities in the CarlinKit dongle and 70mai dashcam underscore a critical truth: securing SDVs is fundamentally a supply chain challenge. Given that these aftermarket devices are widely deployed, the cumulative risk to drivers and vehicles demands urgent and decisive action.
Automotive cybersecurity must extend beyond the OEM to include rigorous, ATM-informed security standards for all aftermarket peripherals. Until this “gray zone” is addressed through clearer standards and stronger oversight, consumers will continue to unknowingly introduce high-impact vulnerabilities into otherwise secure vehicles — turning their desired convenience add-ons into significant security liabilities.
