CVE-2026-2541
Unknown Unknown - Not Provided
Low-Entropy Rolling Code Brute-Force in Micca KE700 Enables Unauthorized Access

Publication date: 2026-02-15

Last updated on: 2026-02-15

Assigner: Automotive Security Research Group (ASRG)

Description
The Micca KE700 system relies on a 6-bit portion of an identifier for authentication within rolling codes, providing only 64 possible combinations. This low entropy allows an attacker to perform a brute-force attack against one component of the rolling code. Successful exploitation simplify an attacker to predict the next valid rolling code, granting unauthorized access to the vehicle.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-15
Last Modified
2026-02-15
Generated
2026-06-16
AI Q&A
2026-02-15
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2541
EUVD
EUVD-2026-5830
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
micca ke700 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-331 The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2541 is a vulnerability in the Micca KE700 car alarm system caused by low entropy in its rolling code generation.

The rolling code consists of three parts: a 16-bit random number, a 16-bit counter, and a 9-bit Key Fob ID. The counter increments predictably by 1 with each transmission, and the Key Fob ID remains constant, leaving only the 16-bit random number as the unknown variable.

Because the random number is only 16 bits, there are only 65,536 possible values, making brute-force attacks feasible.

An attacker can sniff a single transmission to learn the current counter value, predict the next counter value, and then rapidly try all possible random numbers to guess the next valid rolling code.

At a rate of one code every 380 milliseconds, the attacker can exhaust the keyspace in about 6.9 hours, allowing unauthorized access to the vehicle.

Impact Analysis

This vulnerability allows an attacker to gain unauthorized access to a vehicle equipped with the Micca KE700 car alarm system.

By exploiting the low entropy in the rolling code, an attacker can predict the next valid code and bypass the authentication mechanism.

This could lead to vehicle theft or unauthorized use without needing to capture future legitimate signals.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sniffing the transmissions of the Micca KE700 car alarm system to observe the rolling codes being sent in plain text. By capturing a single transmission, you can determine the current counter value used in the rolling code.'}, {'type': 'paragraph', 'content': 'Detection involves monitoring the wireless signals for the rolling code components, especially focusing on the predictable 16-bit counter and the constant 9-bit Key Fob ID.'}, {'type': 'paragraph', 'content': "While specific commands are not provided, typical wireless sniffing tools such as 'rtl_433' or 'Wireshark' with appropriate radio hardware could be used to capture and analyze these transmissions."}] [1]

Mitigation Strategies

Immediate mitigation steps include increasing the entropy of the random component in the rolling code to at least 64 bits to make brute-force attacks computationally infeasible.

Replacing the proprietary rolling code logic with a standard, publicly vetted algorithm such as KeeLoq or an AES-based equivalent is recommended.

Until a firmware or system update is available, users should be cautious about the physical security of their vehicles and consider additional security measures such as secondary authentication methods or physical barriers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2541. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart