CVE-2025-32060 PUBLISHED

Absence of Kernel Module Signature Verification on Linux System of Infotainment ECU

Assigner: ASRG
Reserved: 03.04.2025 Published: 15.02.2026 Updated: 15.02.2026

The system suffers from the absence of a kernel module signature verification. If an attacker can execute commands on behalf of root user (due to additional vulnerabilities), then he/she is also able to load custom kernel modules to the kernel space and execute code in the kernel context. Such a flaw can lead to taking control over the entire system.

First identified on Nissan Leaf ZE1 manufactured in 2020.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 6.7

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Bosch
Product	Infotainment system ECU
Versions	Default: unaffected Version 283C30861E is affected

Credits

Mikhail Evdokimov (PCA Cyber Security Assessment Team) finder

References

Problem Types

CWE-347: Improper Verification of Cryptographic Signature CWE

Impacts

CAPEC-115 Authentication Bypass