Search criteria
2 vulnerabilities found for DiLink OS by BYD
CVE-2025-7020 (GCVE-0-2025-7020)
Vulnerability from cvelistv5 – Published: 2025-08-09 12:42 – Updated: 2025-08-11 15:54
VLAI?
Summary
An incorrect encryption implementation vulnerability exists in the system log dump feature of BYD's DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit's storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data.
This vulnerability was introduced in a patch intended to fix CVE-2024-54728.
Severity ?
CWE
- CWE-656 - Incorrect Encryption Implementation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Lior Zur Lotan (PlaxidityX)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T15:54:29.496185Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T15:54:36.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Multimedia Unit",
"IVI",
"filesystem",
"log dump"
],
"platforms": [
"Dilink 3.0"
],
"product": "DiLink OS",
"vendor": "BYD",
"versions": [
{
"status": "affected",
"version": "13.1.32.2307211.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lior Zur Lotan (PlaxidityX)"
}
],
"datePublic": "2025-08-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn incorrect encryption implementation vulnerability exists in the system log dump feature of BYD\u0027s DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit\u0027s storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data.\u003c/p\u003e\u003cp\u003eThis vulnerability was introduced in a patch intended to fix CVE-2024-54728.\u003c/p\u003e"
}
],
"value": "An incorrect encryption implementation vulnerability exists in the system log dump feature of BYD\u0027s DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit\u0027s storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data.\n\nThis vulnerability was introduced in a patch intended to fix CVE-2024-54728."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/V:D/RE:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-656",
"description": "CWE-656: Incorrect Encryption Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-09T12:42:29.150Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://asrg.io/security-advisories/cve-2025-7020/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is recommended to review and correct the encryption implementation used for system log dumps, ensuring the use of secure key management and proper encryption algorithm implementation practices."
}
],
"value": "It is recommended to review and correct the encryption implementation used for system log dumps, ensuring the use of secure key management and proper encryption algorithm implementation practices."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "BYD DiLink OS Incorrect encryption Implementation of system log dumps",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2025-7020",
"datePublished": "2025-08-09T12:42:29.150Z",
"dateReserved": "2025-07-02T12:24:26.302Z",
"dateUpdated": "2025-08-11T15:54:36.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7020 (GCVE-0-2025-7020)
Vulnerability from nvd – Published: 2025-08-09 12:42 – Updated: 2025-08-11 15:54
VLAI?
Summary
An incorrect encryption implementation vulnerability exists in the system log dump feature of BYD's DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit's storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data.
This vulnerability was introduced in a patch intended to fix CVE-2024-54728.
Severity ?
CWE
- CWE-656 - Incorrect Encryption Implementation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Lior Zur Lotan (PlaxidityX)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T15:54:29.496185Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T15:54:36.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Multimedia Unit",
"IVI",
"filesystem",
"log dump"
],
"platforms": [
"Dilink 3.0"
],
"product": "DiLink OS",
"vendor": "BYD",
"versions": [
{
"status": "affected",
"version": "13.1.32.2307211.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lior Zur Lotan (PlaxidityX)"
}
],
"datePublic": "2025-08-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn incorrect encryption implementation vulnerability exists in the system log dump feature of BYD\u0027s DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit\u0027s storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data.\u003c/p\u003e\u003cp\u003eThis vulnerability was introduced in a patch intended to fix CVE-2024-54728.\u003c/p\u003e"
}
],
"value": "An incorrect encryption implementation vulnerability exists in the system log dump feature of BYD\u0027s DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit\u0027s storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data.\n\nThis vulnerability was introduced in a patch intended to fix CVE-2024-54728."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/V:D/RE:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-656",
"description": "CWE-656: Incorrect Encryption Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-09T12:42:29.150Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://asrg.io/security-advisories/cve-2025-7020/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is recommended to review and correct the encryption implementation used for system log dumps, ensuring the use of secure key management and proper encryption algorithm implementation practices."
}
],
"value": "It is recommended to review and correct the encryption implementation used for system log dumps, ensuring the use of secure key management and proper encryption algorithm implementation practices."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "BYD DiLink OS Incorrect encryption Implementation of system log dumps",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2025-7020",
"datePublished": "2025-08-09T12:42:29.150Z",
"dateReserved": "2025-07-02T12:24:26.302Z",
"dateUpdated": "2025-08-11T15:54:36.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}