CVE-2024-35537 – The TVS Connect mobile application insecurely h... (How to Fix)

Q: What is the severity of CVE-2024-35537?

CVE-2024-35537 has a CVSS score of 7.5 (HIGH). The TVS Connect mobile application insecurely handles RSA key pairs, potentially allowing attackers to decrypt sensitive information transmitted by the app. This affects all users of TVS Connect Android v4.6.0 and iOS v5.0.0 who use the app to connect with TVS vehicles.

📋 TL;DR

The TVS Connect mobile application insecurely handles RSA key pairs, potentially allowing attackers to decrypt sensitive information transmitted by the app. This affects all users of TVS Connect Android v4.6.0 and iOS v5.0.0 who use the app to connect with TVS vehicles.

💻 Affected Systems

Products:

TVS Connect Android Application
TVS Connect iOS Application

Versions: Android v4.6.0, iOS v5.0.0

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of these specific versions are vulnerable regardless of configuration.

📦 What is this software?

Tvs Connect by Tvsmotor

View all CVEs affecting Tvs Connect →

Tvs Connect by Tvsmotor

View all CVEs affecting Tvs Connect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could decrypt all sensitive data transmitted between the app and vehicles, including location data, vehicle status, personal information, and potentially gain unauthorized access to vehicle functions.

🟠

Likely Case

Attackers intercepting app communications could access personal user data, trip history, and vehicle telemetry information.

🟢

If Mitigated

With proper network segmentation and encryption controls, impact is limited to data exposure within the app's communication scope.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the cryptographic implementation, making exploitation straightforward once the insecure key handling is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

1. Check for app updates in Google Play Store or Apple App Store. 2. Update to the latest version if available. 3. Restart the application after update.

🔧 Temporary Workarounds

Disable App Usage

all

Stop using the vulnerable TVS Connect application until a patch is available.

Network Segmentation

all

Restrict the app's network access to trusted networks only.

🧯 If You Can't Patch

Uninstall the TVS Connect application from all devices
Use alternative methods for vehicle connectivity if available

🔍 How to Verify

Check if Vulnerable:

Check app version in settings: Android v4.6.0 or iOS v5.0.0 indicates vulnerability.

Check Version:

Android: Settings > Apps > TVS Connect > App info. iOS: Settings > General > iPhone Storage > TVS Connect

Verify Fix Applied:

Verify app version is higher than Android v4.6.0 or iOS v5.0.0 after update.

📡 Detection & Monitoring

Log Indicators:

Unusual decryption errors
Failed authentication attempts with vehicle systems

Network Indicators:

Unusual traffic patterns from TVS Connect app
Intercepted encrypted communications showing decryption attempts

SIEM Query:

source="mobile_app_logs" app_name="TVS Connect" (error="decryption" OR error="crypto")

📊 Metadata

CVE ID: CVE-2024-35537

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-327

Published: June 21, 2024

Last Updated: March 13, 2025

🔗 References

https://github.com/aaravavi/TVS-Connect-Application-VAPT Exploit,Third Party Advisory
https://github.com/aaravavi/TVS-Connect-Application-VAPT Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35537, you might also want to check these: