November 05, 2025
At the Security Analyst Summit 2025, Kaspersky presented the results of a security audit that has exposed a significant security flaw enabling unauthorized access to all connected vehicles of one automotive manufacturer.
Kaspersky researchers uncovered a critical security breach in a car manufacturer’s telematics system caused by a zero-day vulnerability in a contractor’s publicly accessible application. Exploiting this flaw allowed remote control over connected vehicles, including dangerous actions such as forcing gear shifts or shutting off engines mid-drive. The breach originated from a SQL injection vulnerability in the contractor’s wiki application, enabling access to user credentials and sensitive configuration data linked to the manufacturer’s telematics infrastructure. Further investigation revealed a misconfigured firewall and weak credentials, granting full control over the telematics system and access to the vehicle’s Controller Area Network (CAN) bus—making it possible to manipulate key vehicle functions.
“The security flaws stem from issues that are quite common in the automotive industry: publicly accessible web services, weak passwords, lack of two-factor authentication (2FA), and unencrypted sensitive data storage. This breach demonstrates how a single weak link in a contractor’s infrastructure can cascade into a full compromise of all of the connected vehicles. The automotive industry must prioritize robust cybersecurity practices, especially for third-party systems, to protect drivers and maintain trust in connected vehicle technologies,” comments Artem Zinenko, Head of Kaspersky ICS CERT Vulnerability Research and Assessment.
About Kaspersky ICS CERT
Kaspersky ICS CERT is primarily focused on identifying and addressing potential and existing threats to industrial automation systems and the Industrial Internet of Things (IloT). The team has successfully identified and helped eliminate hundreds of vulnerabilities in widely used ICS products and components, enhancing the security and resilience of these critical systems against sophisticated cyberattacks.
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company’s comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and nearly 200,000 corporate clients protect what matters most to them
