Cybersecurity researchers have uncovered a critical set of Bluetooth vulnerabilities affecting millions of vehicles across multiple major manufacturers, including Mercedes-Benz, Volkswagen, and Škoda. The vulnerabilities, collectively named “PerfektBlue”, reside within OpenSynergy’s BlueSDK Bluetooth stack and, if successfully exploited, could lead to remote code execution (RCE) in vehicles.

According to PCA Cyber Security (formerly PCAutomotive), these flaws can be chained together to allow attackers to run arbitrary code on affected vehicles’ infotainment systems. In some cases, this access could potentially extend to more sensitive in-vehicle systems, depending on how each car manufacturer has structured its internal networks.

Exploitation Within Bluetooth Range

To carry out an attack, a threat actor only needs to be within Bluetooth range and able to initiate a pairing process with the vehicle’s infotainment system. While this might sound like a high barrier, PCA notes that the actual process depends on each car’s implementation—some may require no user interaction at all.

The vulnerabilities identified include:

• CVE-2024-45434 (Use-After-Free in AVRCP service) — CVSS 8.0
• CVE-2024-45431 (Improper validation of L2CAP channel CID) — CVSS 3.5
• CVE-2024-45433 (Incorrect function termination in RFCOMM) — CVSS 5.7
• CVE-2024-45432 (Function call with incorrect parameter in RFCOMM) — CVSS 5.7

Together, these flaws could allow an attacker to access GPS data, record audio, read contact lists, or even move laterally across the system to gain more control—potentially even impacting engine or brake functions depending on the car’s architecture.

Real-World Implications and Manufacturer Response

In a statement to The Hacker News, Volkswagen clarified that the vulnerabilities are limited to the infotainment system and do not affect driving-critical components like steering, engine, or brakes. The company emphasized that multiple conditions must be met for the exploit to work:

• The attacker must be within 5–7 meters of the vehicle
• The ignition must be turned on
• The infotainment system must be in Bluetooth pairing mode
• The vehicle user must approve the pairing on screen

Even if those conditions are met, attackers would only have access to limited infotainment functions.

Volkswagen is actively addressing the issue through software updates, and in some cases, vehicle owners may need to visit a dealership to complete the patching process.

Security Recommendations

PCA Cyber Security advises all users to update their vehicles as soon as possible and to verify Bluetooth pairing data during the connection process to avoid unauthorized access. Manufacturers are also encouraged to audit their internal network segmentation and strengthen isolation between infotainment and critical systems.

This discovery follows a growing trend of cybersecurity risks targeting modern vehicles, where connectivity features—while convenient—also open new doors for sophisticated threats.

Source: https://thehackernews.com/2025/07/perfektblue-bluetooth-vulnerabilities.html