Description
Zero Motorcycles firmware versions 44 and prior enable an attacker to
forcibly pair a device with the motorcycle via Bluetooth. Once paired,
an attacker can utilize over-the-air firmware updating functionality to
potentially upload malicious firmware to the motorcycle. The motorcycle
must first be in Bluetooth pairing mode, and the attacker must be in
proximity of the vehicle and understand the full pairing process, to be
able to pair their device with the vehicle. The attacker's device must
remain paired with and in proximity of the motorcycle for the entire
duration of the firmware update.
Published: 2026-04-21
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Update Firmware
AI Analysis

Impact

Zero Motorcycles firmware versions 44 and earlier allow an attacker to force a Bluetooth pairing with the motorcycle without proper entity authentication. Once paired, the attacker can use the over‑the‑air firmware update feature to install malicious firmware, effectively gaining the ability to run arbitrary code on the bike. This flaw is a form of improper authentication and is catalogued as CWE‑322.

Affected Systems

Zero Motorcycles' firmware, versions 44 and prior, are affected. The vulnerability exists in the Bluetooth pairing and OTA update mechanisms of these firmware builds.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and there is no EPSS data available. The defect is not listed in the CISA KEV catalog, but it requires physical proximity and the motorcycle to be in pairing mode, limiting the likelihood of exploitation to organized or opportunistic attackers. The impact is potentially significant, granting attackers remote code execution through malicious firmware, but the surface is constrained by the need for close-range, manual pairing.

Generated by OpenCVE AI on April 22, 2026 at 04:33 UTC.

Remediation

Vendor Workaround

Zero Motorcycles has investigated this report and cautions users to pair their mobile device to their vehicle in a safe location where they can be sure no one else will try to pair at the same time. Once initiated, complete the full pairing process and confirm it is successful. Store physical keys in a secure location and do not leave the bike unattended with the key in the "ON" position. Zero Motorcycles plans to address this issue in a firmware update scheduled for release in May 2026. Update the firmware to the latest available version.

OpenCVE Recommended Actions

  • Apply the vendor-supplied firmware update as soon as it is released
  • When pairing, do so in a secure, private location to ensure no other device can interfere
  • Store the physical key in a secure place and avoid leaving the motorcycle in the ON position with the key when unattended

Generated by OpenCVE AI on April 22, 2026 at 04:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Zero Motorcycles
Zero Motorcycles zero Motorcycles Firmware
Vendors & Products Zero Motorcycles
Zero Motorcycles zero Motorcycles Firmware

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bluetooth. Once paired, an attacker can utilize over-the-air firmware updating functionality to potentially upload malicious firmware to the motorcycle. The motorcycle must first be in Bluetooth pairing mode, and the attacker must be in proximity of the vehicle and understand the full pairing process, to be able to pair their device with the vehicle. The attacker's device must remain paired with and in proximity of the motorcycle for the entire duration of the firmware update.
Title Zero Motorcycles Firmware Key Exchange without Entity Authentication
Weaknesses CWE-322
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Zero Motorcycles Zero Motorcycles Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-22T17:51:45.219Z

Reserved: 2026-01-22T18:31:58.496Z

Link: CVE-2026-1354

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T22:16:18.643

Modified: 2026-04-21T22:16:18.643

Link: CVE-2026-1354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:54Z

Weaknesses