PerfektBlue - critical vulnerabilities in OpenSynergy Blue SDK

A chain of 4 vulnerabilities in Blue SDK Bluetooth stack leading to 1-click RCE

Read time:00:07

Release date:7.7.2025

Product: OpenSynergy BlueSDK

Affected versions: N/A

Fixed versions: N/A

Severity: Critical

CVE numbers: CVE-2024-45431, CVE-2024-45432, CVE-2024-45433, CVE-2024-45434

Authors: Mikhail Evdokimov (PCA)

Download this advisory: PDF

Visit PerfektBlue webpage: https://perfektblue.pcacybersecurity.com


PRODUCT DESCRIPTION

OpenSynergy Bluetooth Protocol Stack (BlueSDK) currently provides A2DP, AVRCP, VDP, BIP, BPP, CTN, FTP, GPP, HFP, HSP, HCRP, HDP, HID, MAP, OPP, PAN, PBAP, SAP, DUN, FAX, DID, GATT profiles. It is licensed by the Bluetooth Special Interest Group (SIG). Bluetooth Software Development Kit (Blue SDK) can easily be integrated into any operating system. It supports both BR/EDR (Classic) and Low Energy operations, classic profiles and low energy profiles use the same underlying protocol stack software.

BlueSDK is a popular embedded Bluetooth stack used in the automotive industry, therefore many automotive products on the market may be affected by the identified vulnerabilities.

PCA Team didn’t have access to the source code of BlueSDK product and performed analysis of a compiled BlueSDK-based bluetooth executable located on the testing device.

SUMMARY

PCA Security Assessment Team identified multiple vulnerabilities with low-to-critical severity, allowing an attacker to obtain 1-click Remote Code Execution (RCE) in the operating system of a device which utilizes BlueSDK Bluetooth stack. In this level of access, an attacker could manipulate the system, escalate privileges and perform lateral movement to other components of the target product.

BlueSDK implementation supports various security levels on incoming connections from remote devices. It’s the responsibility of an end developer to select an appropriate authorization security level for a target Bluetooth profile.

The vulnerabilities on testing devices PCA Team used for vulnerability research and verification, were accessible after pairing. However, those vulnerabilities may potentially be available before pairing process on some devices utilizing BlueSDK, as this highly depends on the implementation chosen by the end developer (either by profile security level or “Just Works” SSP mode).

CVE IDDescriptionCVSS 3.1 score

Use-After-Free in AVRCP service

8.0 (Critical)

Improper validation of an L2CAP channel's remote CID

3.5 (Low)

Incorrect function termination in RFCOMM

5.7 (Medium)

Function call with incorrect parameter in RFCOMM

5.7 (Medium)

DISCLOSURE TIMELINE

DateDescription

17/05/2024

First contact of OpenSynergy Security Team

24/05/2024

Exchange of public keys. Advisory sent to psec@opensynergy.com

12/06/2024

OpenSynergy confirmed receipt of the report

19/06/2024

PCA confirmed PerfektBlue presence in ICAS3 infotainment. Verified on Volkswagen ID.4. Volkswagen incident response team was informed

10/07/2024

Follow-up from PCA Security Assessment Team to OpenSynergy

15/07/2024

OpenSynergy confirmed the vulnerabilities, and informed PCA about working on the patches

30/08/2024

CVE numbers were reserved through MITRE

09/2024

According to OpenSynergy, patches were ready

31/10/2024

PCA confirmed PerfektBlue presence in MIB3 by Preh Car Connect. Verified on Skoda Superb 3. Volkswagen incident response team was informed

31/10/2024

PCA shared public advisory with OpenSynergy for review. Disclosure scheduled for 2025 to give vendors & suppliers enough time to patch

05/11/2024

PCA confirmed PerfektBlue presence in Mercedes NTG6 IVI. Confirmed on NTG6 test bench. Mercedes security team was informed

09/11/2024

OpenSynergy provides feedback for the advisory

19/03/2025

PCA shares text of the PerfektBlue website perfektblue.pcacybersecurity.com with OpenSynergy for review.

06/06/2025

PCA confirmed PerfektBlue presence in multiple vehicles of undisclosed OEM. Their secuirty team was informed.

10/06/2025

Publication of the website and the advisory scheduled for 2nd of July. PCA informed OpenSynergy about the publicataion date

23/06/2025

Undisclosed OEM informed PCA that they didn't received vulnerability notice and patch from their supply chain. PCA proceeds with publication without disclosing the OEM

07/07/2025

This advisory becomes public to raise awareness about the attack chain among OEMs, suppliers, and product users

PCA would like to note that OpenSynergy freely communicated with us and handled our disclosure promptly.

According to OpenSynergy, patches were rolled out in September 2024. However, not all OEMs received the patch till June 2025. This could have probably been caused by long and complex vehicle supply chains.

TECHNICAL DETAILS

CVE-2024-45434: Use-After-Free In AVRCP

The specific flaw exists within BlueSDK Bluetooth stack. The issue results from the lack of validating the existence of an object prior to performing operations on the object (UAF). An attacker can leverage this vulnerability to obtain remote code execution in the context of a user from whom the Bluetooth process is running.

CVE-2024-45431: Improper validation of a L2CAP channel's remote CID

The specific flaw exists within BlueSDK Bluetooth stack. The issue results from the lack of proper validation of remote L2CAP channel ID (CID). An attacker can leverage this vulnerability to create a L2CAP channel with the null identifier assigned as a remote CID.

CVE-2024-45433: Incorrect function termination in RFCOMM

The specific flaw exists within BlueSDK Bluetooth stack. The issue results from the lack of proper return control flow after detected an unusual condition. An attacker can leverage this vulnerability to bypass a security validation and make the incoming data to be processed.

CVE-2024-45432: Function call with incorrect parameter in RFCOMM

The specific flaw exists within BlueSDK Bluetooth stack. The issue results from the incorrect variable used as a function argument. An attacker can leverage this vulnerability to cause unexpected behavior or obtain information leak.

AFFECTED VENDORS

Public resources containing Bluetooth certification information were used to identify vendors and products using BlueSDK framework. Therefore, identified vendors/products are potentially affected. Moreover, vulnerabilities were confirmed on 4 in-vehicle infotainment units of different manufacturers.

The following table is a non-extensive list of affected vendors:

VendorComments
Mercedes-Benz AG

Affected

Volkswagen

Affected

Skoda

Affected

Undisclosed OEM

Affected

In addition to the already mentioned vendors, a lot of others, including vendors outside of automotive industry, are also likely vulnerable to this attack.

Mercedes-Benz: Proof of Exploitation

PCA Team performed proof-of-concept exploitation on Mercedes-Benz NTG6 head unit. It's important to note this is one of many vulnerable Mercedes-Benz head units. Lower and upper (up-to-date) firmware versions are likely to be exploitable as well. The latest-generation head unit model, NTG7, (with up-to-date firmware) may also be affected - it uses BlueSDK as Bluetooth stack.

Information about the testing device is the following:

VendorIVI Part NumberFirmware VersionFirmware Release Date

Mercedes-Benz

A 253 900 69 05 / 001apilevel/ntg6/080

~2020-2021

Below is the demonstration of the reverse shell obtained on top of TCP/IP after successfull Bluetooth exploitation. As you can see, the Bluetooth process is launched with phone user permissions.

Volkswagen: Proof of Exploitation

PCA Team used Volkswagen MEB ICAS3 head unit for exploitation verification. The mentioned head unit is installed on Volkswagen ID model line. It's important to note this is one of many vulnerable Volkswagen head units. Lower and upper (up-to-date) firmware versions are likely to be exploitable as well.

Information about the testing device is the following:

VendorIVI Part NumberFirmware VersionFirmware Release Date

Volkswagen

10A035816E0792 (ID software version: 2.1)

Q1 2021

Volkswagen

10A035816J0561 (ID software version: 3.2.12)

Dec. 2023

The exploit verification was conducted for 0561 and 0792 firmware versions. Below is the demonstration of the reverse shell obtained on top of TCP/IP after successfull Bluetooth exploitation (on 0561 firmware version). As you can see, the Bluetooth process is launched with sint_sec_btapp user permissions.

Skoda: Proof of Exploitation

PCA Team used Skoda MIB3 head unit for exploitation verification. The mentioned head unit is installed on Skoda Superb model line and some Volkswagen model lines. It's important to note this is one of many vulnerable Skoda head units. Lower and upper (up-to-date) firmware versions are likely to be exploitable as well.

Information about the testing device is the following:

VendorIVI Part NumberFirmware VersionFirmware Release Date

Skoda

3V0035820JMIB3 0304

~2022

Below is the demonstration of the reverse shell obtained on top of TCP/IP after successfull Bluetooth exploitation. As you can see, the Bluetooth process is launched with phone user permissions.

CREDITS

PCA Security Assessment team:

  • Abdellah Benotsmane
  • Aleksei Stennikov
  • Artem Ivachev
  • Danila Parnishchev
  • Mikhail Evdokimov
  • Polina Smirnova
  • Radu Motspan

Popular tags

security advisory

skoda

pcautomotive

nissan

vehicle penetration testing

bosch

infotainment system vulnerability

vw

mib3 infotainment unit

preh car connect gmbh

Credits

Mikhail Evdokimov

Mikhail Evdokimov

Senior Security Researcher