CVE-2025-8652 – This vulnerability allows physically present at... (How to Fix)

Q: What is the severity of CVE-2025-8652?

CVE-2025-8652 has a CVSS score of 6.8 (MEDIUM). This vulnerability allows physically present attackers to execute arbitrary code with root privileges on Kenwood DMX958XR car multimedia systems without authentication. Attackers can exploit command injection in the JKWifiService to gain complete control of affected devices. Only physically accessible devices are vulnerable.

📋 TL;DR

This vulnerability allows physically present attackers to execute arbitrary code with root privileges on Kenwood DMX958XR car multimedia systems without authentication. Attackers can exploit command injection in the JKWifiService to gain complete control of affected devices. Only physically accessible devices are vulnerable.

💻 Affected Systems

Products:

Kenwood DMX958XR

Versions: All versions prior to patch

Operating Systems: Embedded Linux/Android-based automotive system

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects physically accessible devices; requires attacker to interact with device interface.

📦 What is this software?

Dmx958xr Firmware by Jvckenwood

View all CVEs affecting Dmx958xr Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full root access to the device, potentially compromising vehicle systems, stealing data, or using the device as an entry point to connected networks.

🟠

Likely Case

Local attacker executes arbitrary commands to modify device settings, install malware, or access stored data like Bluetooth pairings and WiFi credentials.

🟢

If Mitigated

With physical security controls preventing unauthorized access, impact is limited to authorized users who would need to deliberately exploit the vulnerability.

🌐 Internet-Facing: LOW - Requires physical access to exploit; not remotely exploitable over internet.

🏢 Internal Only: MEDIUM - Physical access required, but vehicles in unsecured locations (parking lots, service centers) could be targeted.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires physical access and knowledge of the vulnerability, but no authentication is needed once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Kenwood firmware updates

Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-800/

Restart Required: Yes

Instructions:

1. Check Kenwood support website for firmware updates. 2. Download latest firmware for DMX958XR. 3. Install update via USB following manufacturer instructions. 4. Verify installation and restart device.

🔧 Temporary Workarounds

Disable WiFi Service

android

Temporarily disable the vulnerable JKWifiService if not needed

adb shell pm disable com.kenwood.jkwifiservice

Physical Security Controls

all

Implement physical security measures to prevent unauthorized access to vehicle

🧯 If You Can't Patch

Park vehicles in secure, monitored locations to prevent physical access by unauthorized individuals.
Disconnect device from vehicle power when not in use for extended periods to prevent exploitation.

🔍 How to Verify

Check if Vulnerable:

Check firmware version in device settings; if not updated to latest version, assume vulnerable.

Check Version:

adb shell getprop ro.build.version.incremental

Verify Fix Applied:

Verify firmware version matches latest release from Kenwood and test WiFi service functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
WiFi service crashes or abnormal restarts
Unexpected process execution from JKWifiService

Network Indicators:

Unusual network traffic from device when vehicle is parked
Unexpected outbound connections from head unit

SIEM Query:

source="vehicle_systems" AND (process="JKWifiService" AND command_execution=*)

📊 Metadata

CVE ID: CVE-2025-8652

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.11% exploit probability (29.7th percentile)

Published: August 6, 2025

Last Updated: August 7, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-800/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8652, you might also want to check these: