What are the specific CVEs and severity scores for PerfektBlue?

The vulnerabilities include CVE-2024-45434 (CVSS 8.0) - use-after-free in AVRCP service, CVE-2024-45433 (CVSS 5.7) - incorrect function termination in RFCOMM protocol, CVE-2024-45432 (CVSS 5.7) - function call with incorrect parameter in RFCOMM, and CVE-2024-45431 (CVSS 3.5) - improper validation of L2CAP channel identifier.

Which specific vehicle models and systems are confirmed affected?

Confirmed affected systems include Mercedes-Benz NTG6 and potentially NTG7 head units, Volkswagen ICAS3 infotainment systems in ID model line vehicles, Skoda MIB3 head units in Superb model line and some Volkswagen vehicles, plus an undisclosed fourth major automotive manufacturer.

Are patches available for the PerfektBlue vulnerabilities?

OpenSynergy released patches to customers in September 2024, but many automakers have yet to push the corrective firmware updates to affected vehicles. At least one major OEM only recently learned about the security risks.

What is the most severe vulnerability in the PerfektBlue chain?

CVE-2024-45434 is the most severe with a CVSS score of 8.0, involving a use-after-free vulnerability in the AVRCP (Audio/Video Remote Control Profile) service for Bluetooth that can lead to remote code execution.

Advisory

Bluetooth vulnerabilities called PerfektBlue enable remote hacking of vehicles from major automakers

Q: What is PerfektBlue and which vehicles are affected?

PerfektBlue is a chain of vulnerabilities in OpenSynergy's BlueSDK Bluetooth stack that is used in millions of vehicles from major manufacturers including Mercedes-Benz, Volkswagen, and Skoda. The flaws can enable remote code execution attacks delivered over-the-air.

Q: What can attackers do with the PerfektBlue vulnerabilities?

Attackers can gain unauthorized access to vehicle infotainment systems, enabling GPS tracking, audio surveillance, and access to personal data stored in connected devices through remote code execution attacks.

Q: What conditions are required for a successful PerfektBlue attack?

According to Volkswagen, successful exploitation requires complex conditions: the attacker being within 5-7 meters of the vehicle, the ignition being switched on, the infotainment system being in pairing mode, and the user approving Bluetooth access for the attacker.

Q: Do these vulnerabilities affect critical vehicle safety systems?

No, Volkswagen emphasized that critical vehicle functions like steering, brakes, and engine controls are protected on separate systems and are not affected by these infotainment system vulnerabilities.

published: July 10, 2025

Take action: This is another weird one. If you drive car from an affected manufacturer, that doesn't mean the manufacturer will make a patch. Definitely reach out to your service for update, but you may also have to accept that there may not be a patch issued. Make sure to limit pairing of devices to the car to only devices you know, and don't accept new bluetooth pairings unless you are sure which device it is.

Learn More

A chain of vulnerabilities called "PerfektBlue" is reported in OpenSynergy's BlueSDK Bluetooth stack that is used in millions of vehicles from major manufacturers including Mercedes-Benz, Volkswagen, and Skoda.

The flaws can enable remote code execution attacks. The attack can be delivered over-the-air and allows attackers to gain unauthorized access to vehicle infotainment systems, enabling GPS tracking, audio surveillance, and access to personal data stored in connected devices.

Vulnerability summary:

CVE-2024-45434 (CVSS score 8.0) - Use-after-free vulnerability in the AVRCP (Audio/Video Remote Control Profile) service for Bluetooth
CVE-2024-45433 (CVSS score 5.7) - Incorrect function termination in the RFCOMM (Radio Frequency Communication) protocol,
CVE-2024-45432 (CVSS score 5.7) - Function call with incorrect parameter in the RFCOMM protocol
CVE-2024-45431 (CVSS score 3.5) - Improper validation of an L2CAP (Logical Link Control and Adaptation Protocol) channel's remote channel identifier

Confirmed affected manufacturers include:

Mercedes-Benz AG - Multiple infotainment systems including NTG6 and potentially NTG7 head units
Volkswagen - ICAS3 infotainment systems used in ID model line vehicles
Skoda - MIB3 head units in Superb model line and some Volkswagen vehicles
Undisclosed OEM - A fourth major automotive manufacturer that was only recently informed about the vulnerabilities

The vulnerabilities were discovered by the cybersecurity research team at PCA Cyber Security and reported to OpenSynergy in May 2024.

OpenSynergy confirmed the flaws in June 2024 and released patches to customers in September 2024, but many automakers have yet to push the corrective firmware updates. At least one major OEM learned only recently about the security risks.

Volkswagen acknowledged the vulnerabilities and noted that the specific conditions required for successful exploitation are complex: the attacker being within 5-7 meters of the vehicle, the ignition being switched on, the infotainment system being in pairing mode, and user approving of Bluetooth access for the attacker. The company emphasized that critical vehicle functions like steering, brakes, and engine controls are protected on separate systems.

The researchers plan to disclose full technical details of PerfektBlue in November 2025 in the format of a conference presentation, allowing additional time for manufacturers to implement and deploy protective measures across their affected vehicle fleets.

Bluetooth vulnerabilities called PerfektBlue enable remote hacking of vehicles from major automakers