CVE-2018-1170

HIGH

Volkswagen Customer-Link App 1.30 & HTC Customer-Link Bridge - Code...

Title source: llm

Description

This vulnerability allows adjacent attackers to inject arbitrary Controller Area Network messages on vulnerable installations of Volkswagen Customer-Link App 1.30 and HTC Customer-Link Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Customer-Link App and Customer-Link Bridge. The issue results from the lack of a proper protection mechanism against unauthorized firmware updates. An attacker can leverage this vulnerability to inject CAN messages. Was ZDI-CAN-5264.

References (1)

[Third Party Advisory, VDB Entry] https://zerodayinitiative.com/advisories/ZDI-18-214

Scores

CVSS v3 8.8

EPSS 0.0026

EPSS Percentile 49.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-693

Status published

Affected Products (2)

htc/customer-link_bridge

volkswagen/customer-link

Timeline

Published Mar 02, 2018

Tracked Since Feb 18, 2026