CVE-2023-28895 LOW

CVE-2023-28895: Hard-coded password for access to power controller chip memory

Vendor Joynext
Product MIB3 Infotainment Unit
Weakness CWE-259
Published December 1, 2023
Last update December 2, 2024

CVSS base score

3.5/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The password for access to the debugging console of the PoWer Controller chip (PWC) of the MIB3 infotainment is hard-coded in the firmware. The console allows attackers with physical access to the MIB3 unit to gain full control over the PWC chip. Vulnerability found on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.

Key dates

02Disclosure timeline

December 1, 2023 CVE published
December 2, 2024 Record updated