Description
In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In BYD Atto3, brute‑forcing can reveal an authentication key that is permanently valid. That key allows the vehicle’s flash utility to rewrite firmware on the Electronic Parking Brake (EPB) and Supplemental Restoration System (SRS) ECUs. The vulnerability exists due to inadequate authentication (CWE‑307). An attacker who obtains the key could install malicious firmware, potentially disabling or misbehaving the braking or airbag systems, presenting a severe safety risk.

Affected Systems

BYD Atto3 electric vehicle model. No specific firmware versions or hardware revisions are listed.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating limited public exploitation data. The CVSS score of 7.5 represents high severity. The likely attack vector involves physical or in‑vehicle network access, such as a compromised OBD‑II interface or a CAN‑bus bridge. Once an attacker has obtained the key, continued malicious flashing is possible. The impact encompasses both confidentiality (key disclosure) and integrity (ECU firmware tampering) of safety‑critical systems.

Generated by OpenCVE AI on May 19, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued security patch that removes the permanent authentication key exposure.
  • Implement strict authentication, network segmentation, and firewall policies to restrict diagnostic and in‑vehicle network interfaces, ensuring that only authorized devices can communicate with the EPB and SRS ECUs.
  • Monitor diagnostic ports for repeated authentication attempts or brute‑force activity and generate alerts or logs for investigation.

Generated by OpenCVE AI on May 19, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Byd
Byd atto3
Vendors & Products Byd
Byd atto3

Tue, 19 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Unauthorized ECU Flashing via Brute-Forced Authentication Key
Weaknesses CWE-522

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Unauthorized ECU Flashing via Brute-Forced Authentication Key
Weaknesses CWE-307
CWE-522

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs.
References

Subscriptions

Byd Atto3
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-19T18:13:43.105Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61081

cve-icon Vulnrichment

Updated: 2026-05-19T18:11:05.124Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T18:16:19.767

Modified: 2026-05-19T21:05:49.167

Link: CVE-2025-61081

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:40:13Z

Weaknesses