CVE-2023-28897 MEDIUM

CVE-2023-28897: Hard-coded password for UDS services

Vendor Joynext
Product MIB3 Infotainment Unit
Weakness CWE-798 · Hardcoded credentials
Published January 12, 2024
Last update June 17, 2025

CVSS base score

4.0/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.

Key dates

02Disclosure timeline

January 12, 2024 CVE published
June 17, 2025 Record updated