Trend Micro's Zero Day Initiative (ZDI) has identified multiple vulnerabilities in the infotainment system of various Mazda models, specifically those utilizing the Mazda Connect Connectivity Master Unit (CMU) developed by Visteon.

These vulnerabilities pose significant safety risks, as they can be exploited using a USB device, allowing attackers to execute arbitrary code with root privileges.

As of November 8, 2024, none of the identified vulnerabilities have been assigned a score under the Common Vulnerability Scoring System (CVSS) and remain unpatched.

Mazda has not yet released patches for these vulnerabilities, and ZDI is currently awaiting a response from the company regarding the issue.

The CMU is popular among car modding communities and operates on software originally developed by Johnson Controls, with the current version being 74.00.324A.

The reported vulnerabilities include SQL injection and command injection flaws, specifically CVE-2024-8355, CVE-2024-8359, CVE-2024-8360, CVE-2024-8358, CVE-2024-8357, and CVE-2024-8356.

CVE-2024-8355 allows attackers to manipulate databases and execute code by spoofing an Apple device's serial number when connecting to the CMU.

CVE-2024-8359 and CVE-2024-8360 relate to improper input sanitization, enabling arbitrary OS command injections that could compromise the entire system.

If exploited, these vulnerabilities could lead to serious consequences, including denial of service, bricking of the vehicle, or ransomware attacks.

ZDI's analysis indicates that these vulnerabilities can be exploited in just a few minutes, particularly in scenarios where access to the vehicle is temporarily granted to third parties, such as during valet parking.

Dustin Childs from ZDI emphasizes the need for multilayered security systems to protect against these potential threats as vehicles become increasingly connected.

Experts warn that the risk of remote exploitation will grow as vehicles become more connected, highlighting the necessity for manufacturers to integrate security into every component.