Millions of vehicles, including models from Mercedes-Benz, Volkswagen, and Skoda, are vulnerable to remote code execution due to a critical set of Bluetooth flaws dubbed 'PerfektBlue'. Discovered in OpenSynergy's BlueSDK, these vulnerabilities allow attackers to gain significant control over in-vehicle infotainment systems, potentially leading to data theft and further system compromise.

Critical Bluetooth Flaws Expose Millions of Cars to Remote Hacking

Cybersecurity researchers have uncovered a series of critical vulnerabilities, collectively named 'PerfektBlue', within OpenSynergy's BlueSDK Bluetooth stack. This widely adopted framework is prevalent in the automotive industry, powering infotainment systems in millions of vehicles worldwide. The flaws enable attackers to achieve one-click remote code execution (RCE) over the air, posing a significant threat to vehicle security.

Key Takeaways

• Widespread Impact: Millions of vehicles, including those from Mercedes-Benz, Volkswagen, and Skoda, are affected due to their use of OpenSynergy's BlueSDK Bluetooth stack.

• Remote Code Execution: The PerfektBlue vulnerabilities can be chained to achieve remote code execution on a vehicle's infotainment system, often requiring minimal or no user interaction.

• Data Compromise: Successful exploitation can lead to access to sensitive data such as GPS location, microphone input, and contact lists.

• Lateral Movement Potential: Attackers may be able to pivot from the infotainment system to other critical electronic control units (ECUs) within the vehicle, depending on the system's architecture.

• Patching Challenges: Despite patches being released in September 2024, many vehicles remain unpatched due to complex automotive supply chains and inconsistent vendor updates.

The PerfektBlue Vulnerabilities

The PerfektBlue attack chain comprises four distinct CVEs:

• CVE-2024-45434: Use-After-Free in AVRCP service (CVSS 8.0 – Critical)

• CVE-2024-45431: Improper validation in L2CAP (CVSS 3.5 – Low)

• CVE-2024-45433: Incorrect function termination in RFCOMM (CVSS 5.7 – Medium)

• CVE-2024-45432: Incorrect parameter in RFCOMM function call (CVSS 5.7 – Medium)

These vulnerabilities, when chained, allow an attacker to execute arbitrary code on the vulnerable device. The attack typically requires the attacker to be within Bluetooth range and able to pair with the target infotainment system. In some cases, pairing can occur without user interaction, especially if insecure pairing modes like “Just Works” are enabled.

Demonstrated Impact on Major Automakers

Researchers from PCA Cyber Security successfully demonstrated the exploitation of PerfektBlue on the infotainment systems of several major automotive brands:

• Mercedes-Benz NTG6: Attackers gained phone-level user permissions on 2020–2021 firmware.

• Volkswagen ID.4 ICAS3: Exploitation of both 2021 and 2023 firmware versions granted sint_sec_btapp privileges.

• Skoda Superb MIB3: Similar outcomes were observed, confirming broad vulnerability across multiple firmware generations.

These RCE footholds provide attackers with significant access, potentially allowing them to track GPS data, record audio, access contact lists, and even attempt lateral movement to other vehicle systems. While direct control over critical functions like steering or braking has not been demonstrated, previous research indicates that such lateral movement from infotainment systems to more critical ECUs is possible.

Patching and Mitigation Challenges

OpenSynergy distributed patches to its BlueSDK customers in September 2024. However, the complex and often opaque automotive supply chain has led to significant delays in these patches reaching end-users. Some OEMs reported in mid-2025 that they had not received the necessary security updates.

For vehicle owners, determining if their specific device is vulnerable is challenging due to BlueSDK's configurable nature and the lack of direct firmware inspection tools. The primary recommendation for users is to update their infotainment system firmware to the latest available version. If concerns persist, disabling Bluetooth functionality entirely is an option, though it may limit convenience features.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Critical Bluetooth Flaws 'PerfektBlue' Expose Millions of Vehicles to 1-Click RCE, CyberInsider.

• Millions of Cars Exposed to Remote Hacking via PerfektBlue Attack, SecurityWeek.

• Widespread automobile hacking likely with PerfektBlue Bluetooth bugs, SC Media.

• PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda, Security Affairs.

• PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution, The Hacker News.