CVE-2022-3093

MEDIUM

Tesla Vehicle Firmware 2022.16.0.3 - Physical Root Code Execution via ice_updater

Title source: manual

Description

This vulnerability allows physical attackers to execute arbitrary code on affected Tesla vehicles. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ice_updater update mechanism. The issue results from the lack of proper validation of user-supplied firmware. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-17463.

References (1)

Core 1

Core References

Third Party Advisory, VDB Entry

https://www.zerodayinitiative.com/advisories/ZDI-22-1188/

Scores

CVSS v3 6.4

EPSS 0.0044

EPSS Percentile 34.8%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-367

Status published

Products (4)

tesla/model_3_firmware < 2022.16.0.3

tesla/model_s_firmware < 2022.16.0.3

tesla/model_x_firmware < 2022.16.0.3

tesla/model_y_firmware < 2022.16.0.3

Published Mar 29, 2023

Tracked Since Feb 18, 2026