Home

Description

Securing externally available CAN wires can easily allow physical access to the CAN bus, allowing possible injection of specially formed CAN messages to control remote start functions of the vehicle.  Testing completed on Tesla Model 3 vehicles with software version v11.1 (2023.20.9 ee6de92ddac5). This issue affects Model 3: With software versions from 2023.Xx before 2023.44.

PUBLISHED Reserved 2025-06-27 | Published 2025-09-04 | Updated 2025-09-11 | Assigner ASRG




MEDIUM: 4.7CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:D/RE:L/U:Amber

Problem types

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-1263 Improper Physical Access Control

Product status

Default status
unaffected

2023.xx (custom) before 2023.44
affected

Credits

Netanel Saka (Plaxidityx) finder

References

asrg.io/security-advisories/cve-2025-6785/ third-party-advisory

cve.org (CVE-2025-6785)

nvd.nist.gov (CVE-2025-6785)

Download JSON