Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by BYD
CVE-2025-7020 (GCVE-0-2025-7020)
Vulnerability from cvelistv5 – Published: 2025-08-09 12:42 – Updated: 2025-08-11 15:54
VLAI
Title
BYD DiLink OS Incorrect encryption Implementation of system log dumps
Summary
An incorrect encryption implementation vulnerability exists in the system log dump feature of BYD's DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit's storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data.
This vulnerability was introduced in a patch intended to fix CVE-2024-54728.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-656 - Incorrect Encryption Implementation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://asrg.io/security-advisories/cve-2025-7020/ | third-party-advisory |
Date Public
2025-08-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T15:54:29.496185Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T15:54:36.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Multimedia Unit",
"IVI",
"filesystem",
"log dump"
],
"platforms": [
"Dilink 3.0"
],
"product": "DiLink OS",
"vendor": "BYD",
"versions": [
{
"status": "affected",
"version": "13.1.32.2307211.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lior Zur Lotan (PlaxidityX)"
}
],
"datePublic": "2025-08-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn incorrect encryption implementation vulnerability exists in the system log dump feature of BYD\u0027s DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit\u0027s storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data.\u003c/p\u003e\u003cp\u003eThis vulnerability was introduced in a patch intended to fix CVE-2024-54728.\u003c/p\u003e"
}
],
"value": "An incorrect encryption implementation vulnerability exists in the system log dump feature of BYD\u0027s DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit\u0027s storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data.\n\nThis vulnerability was introduced in a patch intended to fix CVE-2024-54728."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/V:D/RE:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-656",
"description": "CWE-656: Incorrect Encryption Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-09T12:42:29.150Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://asrg.io/security-advisories/cve-2025-7020/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is recommended to review and correct the encryption implementation used for system log dumps, ensuring the use of secure key management and proper encryption algorithm implementation practices."
}
],
"value": "It is recommended to review and correct the encryption implementation used for system log dumps, ensuring the use of secure key management and proper encryption algorithm implementation practices."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "BYD DiLink OS Incorrect encryption Implementation of system log dumps",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2025-7020",
"datePublished": "2025-08-09T12:42:29.150Z",
"dateReserved": "2025-07-02T12:24:26.302Z",
"dateUpdated": "2025-08-11T15:54:36.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}