CVE-2015-2908

Mobile Devices C4 OBD-II Dongle Firmware < 3.4 - Remote Code Execution via Unvalidated Firmware Update

Title source: llm

Description

Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server.

References (2)

Core 2

Core References

Various Sources

https://www.usenix.org/conference/woot15/workshop-program/presentation/foster

Third Party Advisory, US Government Resource

http://www.kb.cert.org/vuls/id/209512

Scores

EPSS 0.0178

EPSS Percentile 75.4%

Details

CWE

CWE-345

Status published

Products (3)

mobile_devices/c4_obd-ii_dongle_firmware < 3.4

Munic/Mobile Devices (MDI) OBD-II dongles < 2.x

Munic/Mobile Devices (MDI) OBD-II dongles < 3.4.x

Published Aug 23, 2015

Tracked Since Feb 18, 2026