CVE-2026-2541
Low-Entropy Rolling Code Brute-Force in Micca KE700 Enables Unauthorized Access
Publication date: 2026-02-15
Last updated on: 2026-02-15
Assigner: Automotive Security Research Group (ASRG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| micca | ke700 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-331 | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2541 is a vulnerability in the Micca KE700 car alarm system caused by low entropy in its rolling code generation.
The rolling code consists of three parts: a 16-bit random number, a 16-bit counter, and a 9-bit Key Fob ID. The counter increments predictably by 1 with each transmission, and the Key Fob ID remains constant, leaving only the 16-bit random number as the unknown variable.
Because the random number is only 16 bits, there are only 65,536 possible values, making brute-force attacks feasible.
An attacker can sniff a single transmission to learn the current counter value, predict the next counter value, and then rapidly try all possible random numbers to guess the next valid rolling code.
At a rate of one code every 380 milliseconds, the attacker can exhaust the keyspace in about 6.9 hours, allowing unauthorized access to the vehicle.
How can this vulnerability impact me? :
This vulnerability allows an attacker to gain unauthorized access to a vehicle equipped with the Micca KE700 car alarm system.
By exploiting the low entropy in the rolling code, an attacker can predict the next valid code and bypass the authentication mechanism.
This could lead to vehicle theft or unauthorized use without needing to capture future legitimate signals.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sniffing the transmissions of the Micca KE700 car alarm system to observe the rolling codes being sent in plain text. By capturing a single transmission, you can determine the current counter value used in the rolling code.'}, {'type': 'paragraph', 'content': 'Detection involves monitoring the wireless signals for the rolling code components, especially focusing on the predictable 16-bit counter and the constant 9-bit Key Fob ID.'}, {'type': 'paragraph', 'content': "While specific commands are not provided, typical wireless sniffing tools such as 'rtl_433' or 'Wireshark' with appropriate radio hardware could be used to capture and analyze these transmissions."}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include increasing the entropy of the random component in the rolling code to at least 64 bits to make brute-force attacks computationally infeasible.
Replacing the proprietary rolling code logic with a standard, publicly vetted algorithm such as KeeLoq or an AES-based equivalent is recommended.
Until a firmware or system update is available, users should be cautious about the physical security of their vehicles and consider additional security measures such as secondary authentication methods or physical barriers.