CVE-2025-32063 PUBLISHED

Enabling SSH server on Infotainment ECU

Assigner: ASRG
Reserved: 03.04.2025 Published: 15.02.2026 Updated: 15.02.2026

There is a misconfiguration vulnerability inside the Infotainment ECU manufactured by BOSCH. The vulnerability happens during the startup phase of a specific systemd service, and as a result, the following developer features will be activated: the disabled firewall and the launched SSH server.

First identified on Nissan Leaf ZE1 manufactured in 2020.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 6.8

Attack Vector	Physical	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Bosch
Product	Infotainment system ECU
Versions	Default: unaffected Version 283C30861E is affected

Credits

Radu Motspan (PCA Cyber Security Assessment Team) finder

References

Problem Types

CWE-306 Missing Authentication for Critical Function CWE

Impacts

CAPEC-578 Disable Security Software