CVE-2026-1354
Bluetooth Forced Pairing Vulnerability in Zero Motorcycles Firmware Enables Malicious Updates
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zero_motorcycles | firmware | 44 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-322 | The product performs a key exchange with an actor without verifying the identity of that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Zero Motorcycles firmware versions 44 and prior. It allows an attacker to forcibly pair their device with the motorcycle via Bluetooth when the motorcycle is in Bluetooth pairing mode. The attacker must be in proximity to the motorcycle and understand the full pairing process to succeed. Once paired, the attacker can use the over-the-air firmware update feature to potentially upload malicious firmware to the motorcycle. The attacker's device must remain paired and close to the motorcycle throughout the firmware update process.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to upload malicious firmware to a Zero Motorcycle, which could compromise the motorcycle's functionality or safety. This could lead to unauthorized control, disruption of normal operations, or other harmful effects on the motorcycle while it is in use.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that your Zero Motorcycles device is not left in Bluetooth pairing mode when unattended.
Limit physical proximity to the motorcycle to trusted individuals only, as an attacker must be near the vehicle to exploit this issue.
Avoid pairing unknown devices with the motorcycle and monitor any unexpected Bluetooth pairing attempts.