CVE-2026-1354 MEDIUM

CVE-2026-1354: Zero Motorcycles Firmware Key Exchange without Entity Authentication

Vendor Zero Motorcycles
Product Zero Motorcycles firmware
Weakness CWE-322
Published April 21, 2026
Last update April 22, 2026

CVSS base score

6.4/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bluetooth. Once paired, an attacker can utilize over-the-air firmware updating functionality to potentially upload malicious firmware to the motorcycle. The motorcycle must first be in Bluetooth pairing mode, and the attacker must be in proximity of the vehicle and understand the full pairing process, to be able to pair their device with the vehicle. The attacker's device must remain paired with and in proximity of the motorcycle for the entire duration of the firmware update.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 22, 2026 Record updated