CVE-2023-28904 MEDIUM

CVE-2023-28904: Bypass of secure boot process

Vendor Preh Car Connect Gmbh (Joynext Gmbh)
Product Volkswagen MIB3 infotainment system MIB3 OI MQB
Weakness CWE-120
Published June 28, 2025
Last update June 30, 2025

CVSS base score

5.2/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

A logic flaw leading to a RAM buffer overflow in the bootloader component of the MIB3 infotainment unit allows an attacker with physical access to the MIB3 ECU to bypass firmware signature verification and run arbitrary code in the infotainment system at boot process.

Key dates

02Disclosure timeline

June 28, 2025 CVE published
June 30, 2025 Record updated