CVE-2024-12054
MEDIUMZF RSSPlus 2M 01/08-01/23 - Authentication Bypass via SecurityAccess Service Seed
Title source: llmDescription
ZF Roll Stability Support Plus (RSSPlus) is vulnerable to an authentication bypass vulnerability targeting deterministic RSSPlus SecurityAccess service seeds, which may allow an attacker to remotely (proximal/adjacent with RF equipment or via pivot from J2497 telematics devices) call diagnostic functions intended for workshop or repair scenarios. This can impact system availability, potentially degrading performance or erasing software, however the vehicle remains in a safe vehicle state.
References (2)
Core 2
Core References
Various Sources
https://nmfta.org/wp-content/media/2022/11/Actionable_Mitigations_Options_v9_DIST.pdf
Third Party Advisory, US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-03
Scores
CVSS v3
5.4
EPSS
0.0022
EPSS Percentile
13.0%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-305
Status
published
Products (1)
ZF/RSSPlus 2M
01/08 - 01/23
Published
Feb 13, 2025
Tracked Since
Feb 18, 2026