vulnerabilities affecting the Nissan Leaf electric vehicle
Researchers have demonstrated that a series of vulnerabilities affecting the Nissan Leaf electric vehicle can be exploited to remotely hack the car, including for spying and the physical takeover of various functions.
The research was conducted by PCAutomotive, a company that offers penetration testing and threat intelligence services for the automotive and financial services industries. The Nissan Leaf hacking was detailed last week at Black Hat Asia 2025.
PCAutomotive researchers targeted a second generation Nissan Leaf made in 2020. The vulnerabilities they found enabled them to use the infotainment system’s Bluetooth capabilities to infiltrate the car’s internal network.
They were then able to escalate privileges and establish a C&C channel over cellular communications to maintain stealthy and persistent access to the EV directly over the internet.
The researchers showed that an attacker could exploit the vulnerabilities to spy on the owner by tracking the car’s location, taking screenshots of the infotainment system, and recording people talking in the vehicle.
They were also able to remotely take control of various physical functions, including doors, wipers, the horn, mirrors, windows, lights, and even the steering wheel, including while the car was in motion.
The vulnerabilities have been assigned eight CVE identifiers: CVE-2025-32056 through CVE-2025-32063. The disclosure process started in August 2023 and Nissan confirmed the findings in January 2024, but it took until recently to get the CVEs assigned, according to the researchers.
Contacted by SecurityWeek, a Nissan spokesperson commented, “PCAutomotive contacted Nissan regarding its research. While we decline to disclose specific countermeasures or details for security reasons, for the safety and peace of mind of our customers we will continue to develop and roll out technologies to combat increasingly sophisticated cyberattacks.”
(courtesy:securityweek.com)
