CVE-2023-28912
BaseFortify
Publication date: 2025-06-28
Last updated on: 2025-06-30
Assigner: Automotive Security Research Group (ASRG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to the vehicle owner's phone contact data, potentially compromising personal information. An attacker with code execution privileges or physical access can extract sensitive contact information from the vehicle's infotainment system.
Can you explain this vulnerability to me?
This vulnerability affects the MIB3 infotainment unit in certain vehicles, where the synchronized phone contact book is stored in clear-text. An attacker who has either code execution privileges on the system or physical access to the system can obtain the vehicle owner's contact data because it is not properly protected.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting physical access to the vehicle's MIB3 infotainment unit and ensuring that only trusted devices are paired via Bluetooth, as exploitation requires either code execution privilege or physical access. Additionally, updating the MIB3 unit firmware to the version released by Volkswagen by early 2024, which includes remediation for this and related vulnerabilities, is recommended. [1]