CVE-2025-32063 MEDIUM

CVE-2025-32063: Enabling SSH server on Infotainment ECU

Vendor Bosch
Product Infotainment system ECU
Weakness CWE-306 · Missing auth
Published February 15, 2026
Last update February 17, 2026

CVSS base score

6.8/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

There is a misconfiguration vulnerability inside the Infotainment ECU manufactured by BOSCH. The vulnerability happens during the startup phase of a specific systemd service, and as a result, the following developer features will be activated: the disabled firewall and the launched SSH server. First identified on Nissan Leaf ZE1 manufactured in 2020.

Key dates

02Disclosure timeline

February 15, 2026 CVE published
February 17, 2026 Record updated