At the Security Analyst Summit 2025 , Kaspersky presented the results of a security audit that exposed a significant security flaw enabling unauthorised access to all connected vehicles of one automotive manufacturer.
By exploiting a zero-day vulnerability in a contractors publicly accessible application, it was possible to gain control over the vehicle telematics system, compromising the physical safety of drivers and passengers. For instance, attackers could force gear shifts or turn off the engine when the vehicle is driving. The findings highlight potential cybersecurity weaknesses in the automotive industry, prompting calls for enhanced security measures.
The security audit was conducted remotely and targeted the manufacturers publicly accessible services and the contractors infrastructure. Kaspersky identified several exposed web services. First, through a zero-day SQL injection vulnerability in the wiki application a web-based platform that allows users to collaboratively create, edit, and manage content, the researchers were able to extract a list of users on the contractors side with password hashes, some of which were guessed due to a weak password policy.