CVE-2025-70994

Description

Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Yadea T5 Electric Bicycles (2024及以后制造)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import time

# Conceptual PoC for CVE-2025-70994 Replay Attack
# This script simulates re-transmitting a captured EV1527 fixed code signal.
# Requires hardware like Raspberry Pi with RF transmitter or SDR.

def replay_signal(captured_hex_code):
    """
    Simulates transmitting the captured signal to the vehicle.
    """
    print(f"[*] Preparing replay attack with payload: {captured_hex_code}")
    
    # In a real scenario, this would interface with GPIO or a tool like rpitx
    # Example: system("./transmit -e -p {} -f 433920000".format(captured_hex_code))
    
    for i in range(3):
        print(f"[*] Transmitting burst {i+1}/3...")
        # Logic to send the raw RF signal via hardware
        time.sleep(0.1) 
        
    print("[+] Replay attack completed. Vehicle should now be unlocked.")

# Example captured fixed code from a Yadea T5 keyfob
# This is a placeholder value for demonstration
captured_payload = "0xAABBCCDD"

if __name__ == "__main__":
    replay_signal(captured_payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-70994
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-70994
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-70994/
[4] VulDB https://vuldb.com/cve/CVE-2025-70994
[5] https://github.com/ktauchathuranga/CVE-2025-70994
[6] https://github.com/ktauchathuranga/ghost-keys
[7] https://github.com/ktauchathuranga/CVE-2025-70994

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-70994", "sourceIdentifier": "[email protected]", "published": "2026-04-23T15:36:26.687", "lastModified": "2026-04-24T14:50:56.203", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1390"}]}], "references": [{"url": "https://github.com/ktauchathuranga/CVE-2025-70994", "source": "[email protected]"}, {"url": "https://github.com/ktauchathuranga/ghost-keys", "source": "[email protected]"}, {"url": "https://github.com/ktauchathuranga/CVE-2025-70994", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}