CVE-2025-28169
📋 TL;DR
BYD QIN PLUS DM-i vehicles running Dilink OS versions 3.0_13.1.7.2204050.1 through 3.0_13.1.7.2312290.1_0 send unencrypted broadcasts to manufacturer cloud servers, enabling man-in-the-middle attacks. This affects vehicle owners and potentially connected infrastructure. Attackers can intercept and manipulate vehicle-to-cloud communications.
💻 Affected Systems
- BYD QIN PLUS DM-i
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete vehicle control compromise including remote manipulation of safety-critical systems, location tracking, data theft, and unauthorized access to connected services.
Likely Case
Interception of vehicle telemetry data, location tracking, unauthorized access to user accounts, and potential manipulation of non-critical vehicle functions.
If Mitigated
Limited data exposure with encrypted communications preventing meaningful interception or manipulation of vehicle systems.
🎯 Exploit Status
Attack requires network access to intercept unencrypted broadcasts. Public GitHub gist demonstrates the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.byd.com
Restart Required: No
Instructions:
Contact BYD dealership for software updates. Check for firmware updates through vehicle infotainment system settings.
🔧 Temporary Workarounds
Disable Connected Services
allTemporarily disable vehicle-to-cloud communications to prevent data exposure
Navigate to vehicle settings > Connectivity > Disable cloud services
Use Secure Wi-Fi Networks
allAvoid public or untrusted Wi-Fi networks for vehicle connectivity
🧯 If You Can't Patch
- Monitor vehicle network traffic for unusual patterns or unauthorized connections
- Implement network segmentation to isolate vehicle systems from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Check Dilink OS version in vehicle settings > System Information. If version falls within affected range, vehicle is vulnerable.Check Version:
Vehicle settings menu: System > About > Software VersionVerify Fix Applied:
Verify OS version has been updated beyond v3.0_13.1.7.2312290.1_0. Monitor network traffic to confirm communications are encrypted.📡 Detection & Monitoring
Log Indicators:
- Unencrypted HTTP traffic to BYD cloud endpoints
- Unusual authentication attempts to vehicle systems
- Multiple failed connection attempts
Network Indicators:
- Plaintext vehicle telemetry data in network captures
- Unencrypted broadcasts to manufacturer domains
- Suspicious man-in-the-middle proxy activity
SIEM Query:
source="vehicle_network" AND (protocol="HTTP" OR protocol="unencrypted") AND dest_ip IN (byd_cloud_ips)