CVE-2025-8655 – This vulnerability allows physically present at... (How to Fix)

Q: What is the severity of CVE-2025-8655?

CVE-2025-8655 has a CVSS score of 6.8 (MEDIUM). This vulnerability allows physically present attackers to execute arbitrary code with root privileges on Kenwood DMX958XR car multimedia receivers. Attackers can exploit the firmware update process via command injection without authentication. Only users of this specific Kenwood device model are affected.

📋 TL;DR

This vulnerability allows physically present attackers to execute arbitrary code with root privileges on Kenwood DMX958XR car multimedia receivers. Attackers can exploit the firmware update process via command injection without authentication. Only users of this specific Kenwood device model are affected.

💻 Affected Systems

Products:

Kenwood DMX958XR

Versions: All versions prior to patched firmware

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with vulnerable firmware are affected; no special configuration required for exploitation.

📦 What is this software?

Dmx958xr Firmware by Jvckenwood

View all CVEs affecting Dmx958xr Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full root control of the device, potentially compromising connected systems, stealing data, or using the device as an attack vector against other connected vehicles or networks.

🟠

Likely Case

Local attacker executes arbitrary code to modify device functionality, install malware, or access sensitive information stored on the device.

🟢

If Mitigated

With physical security controls preventing unauthorized access to the device, impact is limited to authorized users only.

🌐 Internet-Facing: LOW - Requires physical access to the device; not directly exploitable over the internet.

🏢 Internal Only: MEDIUM - Physical access required, but vehicles in unsecured locations (parking lots, public garages) could be targeted.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires physical access to the device and knowledge of the command injection technique. No authentication is required once physical access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Kenwood support for latest firmware

Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-803/

Restart Required: Yes

Instructions:

1. Visit Kenwood support website. 2. Download latest firmware for DMX958XR. 3. Transfer firmware to USB drive. 4. Insert USB into device. 5. Follow on-screen firmware update instructions. 6. Device will restart automatically.

🔧 Temporary Workarounds

Physical Access Control

all

Prevent unauthorized physical access to the device by keeping vehicles locked and in secure locations.

Disable Unused Features

all

Disable any unnecessary connectivity features that could be used as attack vectors if physical access is obtained.

🧯 If You Can't Patch

Restrict physical access to vehicles containing vulnerable devices
Monitor for suspicious device behavior or unexpected firmware update attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version in device settings menu; if not running latest patched version, device is vulnerable.

Check Version:

Navigate to Settings > System Information > Firmware Version on the device interface

Verify Fix Applied:

After firmware update, verify version number matches latest patched version from Kenwood support site.

📡 Detection & Monitoring

Log Indicators:

Unexpected firmware update attempts
System command execution logs showing unusual commands
Root privilege escalation attempts

Network Indicators:

Unusual USB device connections if monitored
Unexpected firmware download patterns

SIEM Query:

Not applicable - primarily physical access exploitation

📊 Metadata

CVE ID: CVE-2025-8655

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.11% exploit probability (29.7th percentile)

Published: August 6, 2025

Last Updated: August 7, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-803/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8655, you might also want to check these: