CVE-2025-32057

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-32057
The Infotainment ECU manufactured by Bosch which is installed in Nissan Leaf ZE1 – 2020 uses a Redbend service for over-the-air provisioning and updates. HTTPS is used for communication with the back-end server. Due to usage of the default configuration for the underlying SSL engine, the server root certificate is not verified. As a result, an attacker may be able to impersonate a Redbend backend server using a self-signed certificate. First identified on Nissan Leaf ZE1 manufactured in 2020.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf
https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch
https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) La ECU de infoentretenimiento fabricada por Bosch que está instalada en el Nissan Leaf ZE1 – 2020 utiliza un servicio de Redbend para aprovisionamiento y actualizaciones por aire. Se utiliza HTTPS para la comunicación con el servidor de backend. Debido al uso de la configuración predeterminada para el motor SSL subyacente, el certificado raíz del servidor no se verifica. Como resultado, un atacante podría suplantar un servidor de backend de Redbend utilizando un certificado autofirmado. Identificado por primera vez en el Nissan Leaf ZE1 fabricado en 2020.

22 Jan 2026, 16:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-01-22 16:16

Updated : 2026-04-15 00:35

NVD link : CVE-2025-32057

Mitre link : CVE-2025-32057

CVE.ORG link : CVE-2025-32057

JSON object : View

Products Affected

No product.

CWE
CWE-295

Improper Certificate Validation