Read time:00:15
Release date:7.10.2025
PCA Cyber Security, a leading provider of penetration testing, threat intelligence, and cybersecurity monitoring services, today announces critical vulnerabilities in Blue SDK Bluetooth stack developed by OpenSynergy. Blue SDK is integrated into millions of devices, and the list of potentially affected vendors includes at least 69 big international companies. PCA Security Assessment team reported the vulnerabilities to OpenSynergy on May 24, 2024, and they were subsequently acknowledged and confirmed by OpenSynergy upon receipt. According to OpenSynergy, patches were rolled out in September 2024.
Introducing PerfektBlue – 1-click RCE attack
PerfektBlue is the industry-wide critical over-the-air attack chain affecting devices in automotive and other industries. The exploitation chain covers multiple vulnerabilities found in the specific Bluetooth stack highly utilized in the industry. Successful exploitation of the identified vulnerabilities leads to Remote Code Execution on a target device.
PerfektBlue exploitation attack is a combination of critical memory corruption and logical vulnerabilities identified in OpenSynergy Blue SDK Bluetooth stack which can be chained to achieve Remote Code Execution (RCE) on millions of vehicles produced by numerous and unrelated manufacturers. Although designed and utilized primarily in the automotive industry, Blue SDK stack can be also found in other products, such as mobile phones and portable gadgets. This makes PerfektBlue a cross-industry vulnerability chain. PCA security researcher, Mikhail Evdokimov, who originally discovered PerfektBlue, developed a successful proof-of-concept exploitation, demonstrating how attackers could construct powerful primitives to bypass all the standard security mitigations on modern systems and achieve over-the-air remote code execution.
The only prerequisite for PerfektBlue attack is pairing with the target device at a sufficient security level. However, due to the framework-based nature of BlueSDK, this requirement varies by implementation – some devices may limit pairing requests, require user interaction, or even disable pairing altogether.
Essentially, PerfektBlue requires at most 1-click from a user to be exploited over-the-air by an attacker.
What are the Potential Impacts?
Having code execution on an IVI (in-vehicle-infotainment) device – Bluetooth-enabled part of a modern vehicle, it's possible for an attacker to track GPS coordinates, record and play audio inside a car, obtain personal phonebook data, although on some systems these impacts might additionally require a privilege escalation step from Bluetooth service user to root.
Finally, an attacker with code execution on the IVI can try to perform lateral movement to other ECUs - legitimately or by exploiting other software components - and obtain access to critical elements of a car, such as steering wheel, horn, wipers, etc. PCA researchers didn’t achieve this level of access on targets vulnerable to PerfektBlue. Nevertheless, previous PCA research not related to PerfektBlue, but with IVI Bluetooth as an attack entry point to the vehicle, proved such a possibility.
To protect against PerfektBlue, PCA suggests product owners to keep their system up-to-date or disable the Bluetooth functionality entirely. At the same time, product manufacturers are advised to check presence of vulnerabilities in their products through their supply chains and get in touch with PCA Cyber Security’s experts to confirm PerfektBlue, discover other, yet unknown issues in their products, and receive professional remediation advisory.
Have the Affected Vendors and OEMs Been Informed?
In line with our responsible disclosure practices, PCA Cyber Security reported the identified vulnerabilities to OpenSynergy prior to publication. The company acknowledged our findings and confirmed their intention to notify all affected vendors.
OpenSynergy was notified in May, 2024 by PCAutomotive about a couple potential vulnerabilities (named PerfektBlue) in Blue SDK. We are pleased to confirm that corrections were applied and fixed the potential vulnerabilities, and relative patches were supplied to our customers in September, 2024. For further information, please contact OpenSynergy directly at info@opensynergy.com or please read more here about opensynergys security mission/about OpenSynergy's Security Mission. - stated by OpenSynergy in relation to PerfektBlue on their website.
In addition, PCA Cyber Security notified Volkswagen/Skoda, Mercedes-Benz, and a third undisclosed OEM security teams that PCA proved their products are affected. PCA provided a high-level attack description, CVE numbers reserved through MITRE, and vulnerabilities confirmation materials to each OEM’s security team individually. Although many other OEMs are potentially affected, by the time of publication PCA only directly reported to OEMs, whose products were proven vulnerable, as soon as vulnerabilities were confirmed at PCA research lab. All approached OEMs confirmed presence of the vulnerabilities in their products.
Although OpenSynergy intended to inform affected parties, this information did not successfully reach some affected OEMs. One of the reasons might be a long and complex supply chain. PCA faced this lack of awareness once confirmed PerfektBlue on undisclosed OEM’s products and reported to their security team on the 6th of June 2025. Since this OEM only recently became aware of PerfektBlue in their products, PCA currently does not disclose this OEM and will update our public advisory with more details and vulnerability confirmation proofs when affected products are patched.
“Our research aims to uncover and responsibly disclose sophisticated attack chains targeting modern automotive technologies, contributing to a more proactive security mindset across the industry. Ongoing security research not only supports the ecosystem but also continuously enhances our capabilities, enabling us to deliver high-quality, on-demand product penetration testing services.” - said Danila Parnishchev, Head of Security Assessment at PCA Cyber Security.
Interviews & Technical Insights
The public Security Advisory of PerfektBlue is now available at perfektblue.pcacybersecurity.com. Further and deeper technical details of our research will be presented at one of the upcoming industry events (TBC) later this year. In the meantime, journalists can request interviews (via email) with the leader of PCA Cyber Security’s Security Assessment team for further insights.
For media inquiries, contact Kamilla Tóth, Marketing Director, PCA Cyber Security (k.toth@pcacybersecurity.com).
About PCA Cyber Security
PCA Cyber Security is a cybersecurity company specializing in penetration testing, threat intelligence, and cybersecurity monitoring for automotive, financial services, energy, and manufacturing industries. Founded in 2019 and headquartered in Budapest, Hungary, PCA Cyber Security employs 30 cybersecurity experts focused on embedded devices, IoT systems, and connected infrastructure.
PCA Cyber Security works with leading brands to enhance the security of vehicles, ECUs, payment platforms, payment terminals, and other connected devices, including their infrastructure. Beyond cybersecurity assessment, PCA Cyber Security delivers threat intelligence and monitoring services, helping organizations mitigate cyber risks and stay ahead of attackers.
In 2024, PCA Cyber Security expanded with regional sales offices in Madrid, Spain, and Munich, Germany, further supporting its global client base.
For more information, visit: https://pcacybersecurity.com/
Contact:
Kamilla Tóth
Marketing Director, PCA Cyber Security
k.toth@pcacybersecurity.com
About OpenSynergy
OpenSynergy provides embedded software products for the next generation of vehicles. Its hypervisor and communication products pave the way for an integrated driving experience.
The automotive virtual platform COQOS Hypervisor SDK integrates a mix of real-time applications and open source solutions on powerful domain controllers. It supports a large bundle of features corresponding to the virtualization standard VIRTIO, creating maximum flexibility: guest operating systems can be used and reused on different Systems on Chips. The automotive leading Bluetooth® stack Blue SDK is one of OpenSynergy’s communications platforms. It is the reference Bluetooth® implementation for many OEMs around the world. OpenSynergy further provides complimentary Automotive-Grade software components tailored for the AndroidTM Open Source Project (AOSP) to boost Android’s adoption in the automotive domain. OpenSynergy also provides engineering services to support the customization of its products. Read more on www.opensynergy.com
Contact:
Tel.: +49 (0)30.60 98 540-41
Email: marketing@opensynergy.com
Article tags
critical vulnerabilities
perfektblue
blue sdk
automotive cybersecurity
penetration testing
automotive threat intelligence
skoda
mercedes
volkswagen
open synergy
Latest Posts
June 13, 2025
Popular tags
pcautomotive
pcacybersecurity
automotive cybersecurity
automotive threat intelligence
penetration testing
threat intelligence
critical vulnerabilities
perfektblue
blue sdk
skoda