CVE-2024-51074

MEDIUM

KIA Seltos v1.0 - Info Disclosure

Title source: llm

Description

Incorrect access control in KIA Seltos vehicle instrument cluster with software and hardware v1.0 allows attackers to arbitrarily change odometer readings in the vehicle by targeting the instrument cluster through the unsecured CAN network. NOTE: this is disputed by the supplier because the CAN bus is not externally exposed, and because the packets can only increase the odometer reading (which typically has no value to an adversary). Also, this is disputed by the Supplier because the findings came from a potentially unrealistic test environment (an isolated ECU part that was not in a vehicle), and because the observed behavior follows the UDS (Unified Diagnostic Services) specification.

References (2)

Core 2

Core References

Various Sources

https://github.com/nitinronge91/KIA-SELTOS-Cluster-Vulnerabilities/blob/0446f6fe6299eb39310e996c73d5513e70d76353/CVE/Odometer%20Manipulation%28Increase%29%20for%20KIA%20SELTOS%20Cluster%20CVE-2024-51074.md

View Writeup ZIP pw:eip

Third Party Advisory

https://en.wikipedia.org/wiki/CAN_bus

Scores

CVSS v3 6.7

EPSS 0.0008

EPSS Percentile 22.4%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

Status published

Published Nov 22, 2024

Tracked Since Feb 18, 2026