CVE-2025-8644 – This vulnerability allows physically present at... (How to Fix)

Q: What is the severity of CVE-2025-8644?

CVE-2025-8644 has a CVSS score of 6.8 (MEDIUM). This vulnerability allows physically present attackers to execute arbitrary code with root privileges on Kenwood DMX958XR car multimedia receivers by exploiting a command injection flaw in the firmware update process. No authentication is required, making it accessible to anyone with physical access to the device. Only users of the specific Kenwood model are affected.

📋 TL;DR

This vulnerability allows physically present attackers to execute arbitrary code with root privileges on Kenwood DMX958XR car multimedia receivers by exploiting a command injection flaw in the firmware update process. No authentication is required, making it accessible to anyone with physical access to the device. Only users of the specific Kenwood model are affected.

💻 Affected Systems

Products:

Kenwood DMX958XR

Versions: All versions prior to patched firmware

Operating Systems: Embedded Linux/RTOS on Kenwood hardware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The device must be physically accessible to exploit.

📦 What is this software?

Dmx958xr Firmware by Jvckenwood

View all CVEs affecting Dmx958xr Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full root control of the device, potentially compromising vehicle systems, stealing data, or using the device as an entry point to other connected systems.

🟠

Likely Case

Local attacker installs malware, modifies device functionality, or extracts sensitive information from the device.

🟢

If Mitigated

With physical security controls preventing unauthorized access, impact is limited to authorized users who would need to deliberately exploit the vulnerability.

🌐 Internet-Facing: LOW - The vulnerability requires physical access to the device and does not appear to be exploitable remotely.

🏢 Internal Only: HIGH - Physical access to the device is sufficient for exploitation without authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires physical access and knowledge of command injection techniques. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Kenwood support for latest firmware

Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-792/

Restart Required: Yes

Instructions:

1. Visit Kenwood support website. 2. Download latest firmware for DMX958XR. 3. Transfer to USB drive. 4. Insert USB into device. 5. Follow on-screen firmware update instructions.

🔧 Temporary Workarounds

Physical Access Control

all

Prevent unauthorized physical access to the device

Disable Unauthorized USB Ports

all

If possible, disable USB ports or restrict to trusted devices only

🧯 If You Can't Patch

Implement strict physical security controls around the vehicle
Disconnect or disable the device if not essential for operation

🔍 How to Verify

Check if Vulnerable:

Check firmware version against Kenwood's patched version list

Check Version:

Navigate to device Settings > System Information > Firmware Version

Verify Fix Applied:

Confirm firmware version matches or exceeds patched version from vendor

📡 Detection & Monitoring

Log Indicators:

Unusual firmware update attempts
Unexpected system command execution

Network Indicators:

None - local exploitation only

SIEM Query:

Not applicable - physical access required

📊 Metadata

CVE ID: CVE-2025-8644

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.06% exploit probability (18.9th percentile)

Published: August 6, 2025

Last Updated: August 7, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-792/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8644, you might also want to check these: