CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-6029: KIA-branded Aftermarket Generic Smart Keyless Entry System Replay Attack

9.4 CVSS

Description

Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack.

Manufacture is unknown at the time of release. CVE Record will be updated once this is clarified.

Classification

CVE ID: CVE-2025-6029

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N

Problem Types

CWE-307 Improper Restriction of Excessive Authentication Attempts CWE-294 Authentication Bypass by Capture-replay

Affected Products

Vendor: KIA

Product: Aftermarket Generic Smart Keyless Entry System

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.64% (scored less or equal to compared to others)

EPSS Date: 2025-06-30 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-6029
https://revers3everything.com/unlocking-thousands-of-cars-by-exploiting-learning-codes-from-key-fobs/
https://asrg.io/security-advisories/cve-2025-6029-kia-branded-aftermarket-generic-smart-keyless-entry-system-replay-attack/

Timeline

2025-06-13 15:40:09 UTC
CVE

KIA-branded Aftermarket Generic Smart Keyless Entry System Replay Attack