CVE-2023-28907

There is no memory isolation between CPU cores of the MIB3 infotainment. This fact allows an attacker with access to the main operating system to compromise the CPU core responsible for CAN message processing. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources.

CVSS v3 6.7 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://asrg.io/security-advisories/vulnerabilities-in-volkswagen-mib3-infotainment-part-2/
https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishchev-OverTheAirVW.pdf
https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-vw-mib3-infotainment-2
https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishchev-OverTheAirVW.pdf

Configurations

No configuration.

History

30 Jun 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-28 16:15

Updated : 2025-06-30 20:15

NVD link : CVE-2023-28907

Mitre link : CVE-2023-28907

CVE.ORG link : CVE-2023-28907

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

{"id": "CVE-2023-28907", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@asrg.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}]}, "published": "2025-06-28T16:15:22.740", "references": [{"url": "https://asrg.io/security-advisories/vulnerabilities-in-volkswagen-mib3-infotainment-part-2/", "source": "cve@asrg.io"}, {"url": "https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishchev-OverTheAirVW.pdf", "source": "cve@asrg.io"}, {"url": "https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-vw-mib3-infotainment-2", "source": "cve@asrg.io"}, {"url": "https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishchev-OverTheAirVW.pdf", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "cve@asrg.io", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "There is no memory isolation between CPU cores of the MIB3 infotainment. This fact allows an attacker with access to the main operating system to compromise the CPU core responsible for CAN message processing.\nThe vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources."}, {"lang": "es", "value": "No existe aislamiento de memoria entre los n\u00facleos de la CPU del sistema de infoentretenimiento MIB3. Esto permite a un atacante con acceso al sistema operativo principal comprometer el n\u00facleo de la CPU responsable del procesamiento de mensajes CAN. La vulnerabilidad se descubri\u00f3 originalmente en el Skoda Superb III con unidad de infoentretenimiento MIB3 con n\u00famero de pieza OEM 3V0035820. La lista de los n\u00fameros de pieza OEM MIB3 afectados se proporciona en los recursos referenciados."}], "lastModified": "2025-06-30T20:15:23.477", "sourceIdentifier": "cve@asrg.io"}