CVE-2023-28897: Hard-coded password for UDS services

CVE ID

CVE-2023-28897

Description

The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware.

Vulnerability discovered on Škoda Superb III (3V3) – 2.0 TDI manufactured in 2022.

Refereneces

Problem Type

CWE-798 Use of Hard-coded Credentials

CAPEC ID

CAPEC-115 Authentication Bypass

Affected Products

MIB3 Infotainment Unit

CVSS3.1 Score

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N