CVE-2025-61081

BYD · Atto3

The BYD Atto3 vehicle authentication system is susceptible to brute-force attacks, allowing attackers to obtain persistent authentication keys.

Executive summary

A critical authentication flaw in the BYD Atto3 allows attackers to brute-force authentication keys, potentially leading to unauthorized vehicle access.

Vulnerability

The vulnerability stems from insufficient rate-limiting or protection against brute-force attempts on the authentication mechanism, enabling an attacker to derive a valid authentication key that remains permanently valid.

Business impact

A successful exploit could result in unauthorized control or access to vehicle systems, posing significant safety and security risks to the owner. Given the CVSS score of 7.5, this high-severity vulnerability requires immediate attention from affected users and coordination with the manufacturer to ensure security patches are implemented.

Remediation

Immediate Action: Contact the vehicle manufacturer or authorized service center to inquire about available firmware updates or security bulletins addressing this specific authentication flaw.

Proactive Monitoring: Monitor any associated mobile application or vehicle portal accounts for unusual login activity or unrecognized device pairings.

Compensating Controls: If available, enable multi-factor authentication (MFA) on the associated account management portal to provide an additional layer of security beyond the vulnerable key.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Authentication vulnerabilities in automotive systems present unique physical and digital safety risks. Owners of the BYD Atto3 should verify their current firmware version and coordinate with authorized service providers to ensure the latest security mitigations are applied to prevent unauthorized access.