CVE-2025-2082

HIGH

Tesla Model 3 Firmware < 2024.14 - Unauthenticated Remote Code Execution via VCSEC Integer Overflow

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-2082. PoCs published by Burak1320demiroz, shirabo.

AI-analyzed exploit summary This repository contains an interactive educational scenario based on CVE-2025-2082, describing a theoretical attack on Tesla Model 3 via TPMS protocol exploitation leading to CAN bus control. It is purely a simulation with no functional exploit code.

Description

Tesla Model 3 VCSEC Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Tesla Model 3 vehicles. Authentication is not required to exploit this vulnerability. The specific flaw exists within the VCSEC module. By manipulating the certificate response sent from the Tire Pressure Monitoring System (TPMS), an attacker can trigger an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the VCSEC module and send arbitrary messages to the vehicle CAN bus. Was ZDI-CAN-23800.

Exploits (2)

nomisec WRITEUP 3 stars

by Burak1320demiroz · poc

https://github.com/Burak1320demiroz/cve-2025-2082

View Code ZIP pw:eip

This repository contains an interactive educational scenario based on CVE-2025-2082, describing a theoretical attack on Tesla Model 3 via TPMS protocol exploitation leading to CAN bus control. It is purely a simulation with no functional exploit code.

Classification

Writeup 100%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Tesla Model 3 (theoretical)

No auth needed

Prerequisites: None (educational scenario only)

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by shirabo · poc

https://github.com/shirabo/cve-2025-2082-POV

View Code ZIP pw:eip

This PoC demonstrates a function pointer overwrite vulnerability in Tesla's VCSEC component via a signed-to-unsigned integer conversion bug, leading to arbitrary code execution. It exploits a `memcpy()` operation with a negative `startIndex` to corrupt memory and hijack a function pointer.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Tesla VCSEC (Vehicle Controller Security) component

No auth needed

Prerequisites: Ability to send crafted BLE messages to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory x_research-advisory

https://www.zerodayinitiative.com/advisories/ZDI-25-265/

Scores

CVSS v3 7.5

EPSS 0.0033

EPSS Percentile 24.7%

Attack Vector ADJACENT_NETWORK

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-190

Status published

Products (1)

tesla/model_3_firmware < 2024.14

Published Apr 30, 2025

Tracked Since Feb 18, 2026