CVE-2025-7020 MEDIUM

CVE-2025-7020: BYD DiLink OS Incorrect encryption Implementation of system log dumps

Vendor Byd
Product DiLink OS
Weakness CWE-656
Published August 9, 2025
Last update August 11, 2025

CVSS base score

5.1/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/V:D/RE:H

What the vulnerability does

01Description

An incorrect encryption implementation vulnerability exists in the system log dump feature of BYD's DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit's storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data. This vulnerability was introduced in a patch intended to fix CVE-2024-54728.

Key dates

02Disclosure timeline

August 9, 2025 CVE published
August 11, 2025 Record updated

Related vulnerabilities

04Related CVE