In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is...

CVE-2025-61081 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs.

Basic information

Type: unreviewed
Severity: high
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Not specified
Published (advisory): 2026-05-19 18:32:13 UTC
Updated: 2026-05-19 21:33:04 UTC
NVD published: 2026-05-19 18:16:19 UTC

EPSS Score

Score	Percentile
0.02%	6.96%

CVSS Scores

Base score	Version	Severity	Vector
7.5	3.1	—	`CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H` Click to expand Attack vector (AV:P) Hands-on access—USB, keyboard, opening the case—not something you do purely over the wire. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.

Identifiers

Type	Value
GHSA	GHSA-h596-vpgv-58r7 ↗
CVE	CVE-2025-61081 ↗

CWEs

CWE id	Name
CWE-307	Improper Restriction of Excessive Authentication Attempts

References

cvelogic Threat Intelligence