CVE-2025-8635 – This vulnerability allows physically present at... (How to Fix)

Q: What is the severity of CVE-2025-8635?

CVE-2025-8635 has a CVSS score of 6.8 (MEDIUM). This vulnerability allows physically present attackers to execute arbitrary code with root privileges on Kenwood DMX958XR car multimedia receivers by exploiting command injection during firmware updates. Attackers can gain complete control of the device without authentication. Only users with physical access to the vehicle can exploit this vulnerability.

📋 TL;DR

This vulnerability allows physically present attackers to execute arbitrary code with root privileges on Kenwood DMX958XR car multimedia receivers by exploiting command injection during firmware updates. Attackers can gain complete control of the device without authentication. Only users with physical access to the vehicle can exploit this vulnerability.

💻 Affected Systems

Products:

Kenwood DMX958XR

Versions: All versions prior to patched firmware

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. Physical access to the device is required for exploitation.

📦 What is this software?

Dmx958xr Firmware by Jvckenwood

View all CVEs affecting Dmx958xr Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full root control of the device, potentially compromising vehicle systems, stealing personal data, or installing persistent malware.

🟠

Likely Case

Local attacker modifies device functionality, installs unauthorized software, or accesses stored media and connection data.

🟢

If Mitigated

With physical security controls, risk is limited to authorized personnel only.

🌐 Internet-Facing: LOW - Requires physical access to the device, not remotely exploitable.

🏢 Internal Only: MEDIUM - Physical access requirement makes it an insider threat risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires physical access and knowledge of command injection techniques. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Kenwood support for latest firmware

Vendor Advisory: https://www.kenwood.com/usa/support/

Restart Required: Yes

Instructions:

1. Visit Kenwood support website. 2. Download latest firmware for DMX958XR. 3. Copy to USB drive. 4. Insert USB into device. 5. Follow on-screen firmware update instructions.

🔧 Temporary Workarounds

Disable physical access

all

Prevent unauthorized physical access to the vehicle and device

Disable firmware updates

all

Prevent firmware updates from unauthorized sources

🧯 If You Can't Patch

Implement strict physical security controls for vehicles
Monitor for unauthorized device modifications or unusual behavior

🔍 How to Verify

Check if Vulnerable:

Check firmware version against Kenwood's security advisory. If running unpatched firmware, device is vulnerable.

Check Version:

Navigate to Settings > System Information > Firmware Version on the device interface

Verify Fix Applied:

Verify firmware version matches or exceeds patched version from Kenwood advisory.

📡 Detection & Monitoring

Log Indicators:

Unexpected firmware update attempts
System command execution logs
Unauthorized process execution

Network Indicators:

Unusual USB device connections during firmware updates

SIEM Query:

Not applicable - primarily physical access based attack

📊 Metadata

CVE ID: CVE-2025-8635

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.06% exploit probability (18.9th percentile)

Published: August 6, 2025

Last Updated: August 7, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-783/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8635, you might also want to check these: