Zero Motorcycles Firmware Key Exchange without Entity Authentication_CVE-2026-1354

6.4 / 10

MEDIUM

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

Description

Zero Motorcycles firmware versions 44 and prior enable an attacker to
forcibly pair a device with the motorcycle via Bluetooth. Once paired,
an attacker can utilize over-the-air firmware updating functionality to
potentially upload malicious firmware to the motorcycle. The motorcycle
must first be in Bluetooth pairing mode, and the attacker must be in
proximity of the vehicle and understand the full pairing process, to be
able to pair their device with the vehicle. The attacker's device must
remain paired with and in proximity of the motorcycle for the entire
duration of the firmware update.

Basic Information

ID CVE-2026-1354

Source icscert

Published Apr 21, 2026 at 21:43

Affected Product

Vendor Zero Motorcycles

Product Zero Motorcycles firmware

Affected Versions Zero Motorcycles Zero Motorcycles firmware 0

CWE Classification

CWE-322

References

{
    "lastseen": "",
    "description": "Zero Motorcycles firmware versions 44 and prior enable an attacker to \nforcibly pair a device with the motorcycle via Bluetooth. Once paired, \nan attacker can utilize over-the-air firmware updating functionality to \npotentially upload malicious firmware to the motorcycle. The motorcycle \nmust first be in Bluetooth pairing mode, and the attacker must be in \nproximity of the vehicle and understand the full pairing process, to be \nable to pair their device with the vehicle. The attacker's device must \nremain paired with and in proximity of the motorcycle for the entire \nduration of the firmware update.",
    "published": "2026-04-21T21:43:53.276Z",
    "modified": "2026-04-21T21:43:53.276Z",
    "type": "cve",
    "title": "Zero Motorcycles Firmware Key Exchange without Entity Authentication",
    "source": "icscert",
    "references": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-06\nhttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-06.json",
    "id": "CVE-2026-1354",
    "bulletinFamily": "",
    "cwe": [
        "CWE-322"
    ],
    "cvelist": null,
    "sourceData": "Zero Motorcycles Zero Motorcycles firmware 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Zero Motorcycles firmware",
    "version": "0",
    "vendor": "Zero Motorcycles",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}