Critical Bluetooth Protocol Vulnerabilities Expose Devices to RCE Attacks
Security researchers have disclosed a critical set of Bluetooth vulnerabilities dubbed “PerfektBlue” that affect millions of vehicles and other devices using OpenSynergy’s BlueSDK framework.
The vulnerabilities can be chained together to achieve remote code execution (RCE) with minimal user interaction, requiring only device pairing to launch successful attacks.
Bluetooth Protocol Vulnerabilities
The PerfektBlue attack leverages four distinct vulnerabilities in the OpenSynergy BlueSDK Bluetooth stack, a framework widely adopted across the automotive sector.
| CVE ID | Description | CVSS Score | Severity |
| CVE-2024-45434 | Use-After-Free in AVRCP service | 8.0 | Critical |
| CVE-2024-45431 | Improper validation of L2CAP channel’s remote CID | 3.5 | Low |
| CVE-2024-45433 | Incorrect function termination in RFCOMM | 5.7 | Medium |
| CVE-2024-45432 | Function call with incorrect parameter in RFCOMM | 5.7 | Medium |
Major manufacturers including Mercedes-Benz AG, Volkswagen, and Skoda have been confirmed as affected, with researchers noting that the vulnerability extends beyond automotive applications to mobile phones and portable devices.
The attack requires at most one click from a user to be exploited over-the-air, making it particularly dangerous for in-vehicle infotainment (IVI) systems.
Once successfully exploited, attackers can track GPS coordinates, record audio inside vehicles, access personal phonebook information, and potentially perform lateral movement to other electronic control units (ECUs) within the vehicle’s network.
The PerfektBlue attack chain consists of memory corruption and logical vulnerabilities that can be combined for maximum impact.
PCA Security Assessment Team identified these flaws after analyzing compiled BlueSDK-based Bluetooth executables on testing devices, as source code access was not available.
The vulnerabilities were verified through proof-of-concept exploits on three different infotainment systems, including Volkswagen’s MEB ICAS3 system used in ID model vehicles, Mercedes-Benz NTG6 head units, and Skoda’s MIB3 system found in Superb model lines.
The vulnerabilities were first reported to OpenSynergy in May 2024, with the company confirming the issues and developing patches by September 2024.
However, the complex automotive supply chain has delayed patch distribution, with some original equipment manufacturers (OEMs) not receiving updates as late as June 2025.
The disclosure process revealed communication challenges within the automotive supply chain, with at least one undisclosed OEM reporting they never received vulnerability notifications or patches from their suppliers despite OpenSynergy’s patch availability.
To protect against PerfektBlue attacks, users and organizations should prioritize system updates when available.
As an immediate protective measure, disabling Bluetooth functionality entirely can prevent exploitation, though this may impact device functionality. Vehicle owners should contact their manufacturers for specific guidance on available security updates for their infotainment systems.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
Source link
