• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Security
  • Mazda Connect flaws allow to hack some Mazda vehicles

Mazda Connect flaws allow to hack some Mazda vehicles

Pierluigi Paganini November 09, 2024

Multiple vulnerabilities in the infotainment unit Mazda Connect could allow attackers to execute arbitrary code with root access.

Trend Micro’s Zero Day Initiative warned of multiple vulnerabilities in the Mazda Connect infotainment system that could allow attackers to execute code with root privileges. This occurs due to improper input sanitization in the Mazda Connect CMU, allowing attackers with physical access to exploit the system using a crafted USB device.

The vulnerabilities impact the Mazda Connect Connectivity Master Unit (CMU) system installed in multiple car models, including the Mazda 3 model year 2014-2021.

“Multiple vulnerabilities have been discovered in the Mazda Connect Connectivity Master Unit (CMU) system installed in multiple car models, such as the Mazda 3 model year 2014-2021. Like in so many cases, these vulnerabilities are caused by insufficient sanitization when handling attacker-supplied input.” reads the advisory. “A physically present attacker could exploit these vulnerabilities by connecting a specially crafted USB device – such as an iPod or mass storage device – to the target system. Successful exploitation of some of these vulnerabilities results in arbitrary code execution with root privileges.”

The research targeted a CMU unit manufactured by Visteon, with software initially developed by Johnson Controls Inc. (JCI). The study focused on the latest software version (74.00.324A), but experts believe that earlier versions (at least 70.x) may also be vulnerable. The CMU has an active modding community that uses software vulnerabilities to alter the unit’s operation, with various software tweaks released. As of the publication, no publicly known vulnerabilities have been identified in the latest firmware version.

Below are the vulnerabilities reported by ZDI:

  • CVE-2024-8355: SQL injection in DeviceManager, enabling database manipulation or code execution via spoofed Apple device connections.
  • CVE-2024-8359 and CVE-2024-8360: Command injections in REFLASH_DDU_FindFile and REFLASH_DDU_ExtractFile, allowing arbitrary OS command execution through file path inputs.
  • CVE-2024-8358: Command injection in UPDATES_ExtractFile, enabling command execution via file paths during updates.
  • CVE-2024-8357: Lack of root of trust in App SoC, risking persistent attacker control by bypassing boot security checks.
  • CVE-2024-8356: Unsigned code vulnerability in VIP MCU, allowing unauthorized firmware uploads that could impact vehicle subsystems.

These vulnerabilities could enable attackers to gain control over or manipulate the infotainment system and potentially affect certain vehicle functions and safety.

These issues are unpatched, with some command injection flaws that could grant attackers unrestricted access to vehicle networks.

The researchers demonstrated in a lab environment that the attack, from USB insertion to installing a crafted update, takes only a few minutes. This quick compromise allows vehicles to be targeted during valet service, ride-sharing, or through USB malware. Once compromised, the CMU could be modified to target connected devices, potentially causing Denial of Service (DoS), device bricking, ransomware attacks, or even safety issues.

“The CMU can then be compromised and “enhanced” to, for example, attempt to compromise any connected device in targeted attacks that can result in DoS, bricking, ransomware, safety compromise, etc.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mazda Connect)


facebook linkedin twitter

automotive Hacking hacking news information security news IT Information Security Mazda Mazda Connect Connectivity Master Unit Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 10, 2025
Qantas data breach impacted 5.7 million individuals
Read more
Pierluigi Paganini July 10, 2025
DoNot APT is expanding scope targeting European foreign ministries
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    DoNot APT is expanding scope targeting European foreign ministries

    APT / July 10, 2025

    Nippon Steel Solutions suffered a data breach following a zero-day attack

    Data Breach / July 09, 2025

    Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

    Malware / July 09, 2025

    Hackers weaponize Shellter red teaming tool to spread infostealers

    Malware / July 09, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT