CVE-2026-1354
Received Received - Intake
Bluetooth Forced Pairing Vulnerability in Zero Motorcycles Firmware Enables Malicious Updates

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: ICS-CERT

Description
Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bluetooth. Once paired, an attacker can utilize over-the-air firmware updating functionality to potentially upload malicious firmware to the motorcycle. The motorcycle must first be in Bluetooth pairing mode, and the attacker must be in proximity of the vehicle and understand the full pairing process, to be able to pair their device with the vehicle. The attacker's device must remain paired with and in proximity of the motorcycle for the entire duration of the firmware update.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1354
EUVD
EUVD-2026-24507
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zero_motorcycles firmware 44
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-322 The product performs a key exchange with an actor without verifying the identity of that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, ensure that your Zero Motorcycles device is not left in Bluetooth pairing mode when unattended.

Limit physical proximity to the motorcycle to trusted individuals only, as an attacker must be near the vehicle to exploit this issue.

Avoid pairing unknown devices with the motorcycle and monitor any unexpected Bluetooth pairing attempts.

Executive Summary

This vulnerability affects Zero Motorcycles firmware versions 44 and prior. It allows an attacker to forcibly pair their device with the motorcycle via Bluetooth when the motorcycle is in Bluetooth pairing mode. The attacker must be in proximity to the motorcycle and understand the full pairing process to succeed. Once paired, the attacker can use the over-the-air firmware update feature to potentially upload malicious firmware to the motorcycle. The attacker's device must remain paired and close to the motorcycle throughout the firmware update process.

Impact Analysis

The vulnerability can allow an attacker to upload malicious firmware to a Zero Motorcycle, which could compromise the motorcycle's functionality or safety. This could lead to unauthorized control, disruption of normal operations, or other harmful effects on the motorcycle while it is in use.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1354. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart