Vulnerability Discovered in Automotive Product Security Platform Potentially Allows Remote Code Execution

February 26, 2024
VicOne
Vulnerability Discovered in Automotive Product Security Platform Potentially Allows Remote Code Execution

Security researchers at QAX StarV Security Lab and China Automotive Engineering Research Institute (CAERI) recently published an advisory on a vulnerability they discovered last year in Cybellum’s automotive product security platform. Designated with the identifier CVE-2023-42419, the vulnerability allows unauthorized access to the host system and retrieval of a private key for signing and encrypting shell scripts. These scripts, executed via an API call, are considered legitimate if signed with the compromised key, enabling remote code execution (RCE). 

The researchers found a function called execute_rce, but it turned out to be a legitimate API within the product. However, the vulnerability arises from the ease with which the encryption key — used for signing, encrypting, and decrypting uploaded files — can be obtained. This vulnerability potentially allows for the abuse of this API to carry out malicious RCE, that is, malicious actors could exploit the vulnerability to run arbitrary code or commands. The researchers reported the vulnerability to Cybellum in June 2023, and in a security update posted on Feb. 21, Cybellum said that it had implemented a permanent fix in version 2.28 of the affected software (its QCOW air-gapped distribution, exclusively deployed in China).

Vulnerabilities that could lead to RCE were also recently identified in the IT industry, in the form of flaws in virtual private network (VPN) software products from Ivanti and in a remote desktop software product from ConnectWise. RCE represents a significant security threat as it enables attackers to gain control over remote systems, positioning it among the most critical security issues. 

The potential impact of such vulnerabilities underscores the importance of continuous quality control across the overall software life cycle, from development phase to operating phase:  

  • Integration of automotive security and IT security. It is recommended for automotive cybersecurity product vendors to have expertise in both the automotive and IT industries to ensure the delivery of secure products and cloud services. It is also important to assess whether vendors’ product and software development projects comply with automotive and IT–related standards such as ASPICE and ISO/IEC 27017. 
  • Security response in action. Implementing a streamlined security incident handling process enables organizations to promptly activate relevant procedures for identifying, assessing, and addressing risks associated with security vulnerabilities across their products. This makes it easier for stakeholders to take relevant actions toward risk mitigation. 
  • Security at the forefront. As cybersecurity is continuously evolving, establishing a comprehensive security policy ensures that both existing employees and new hires can follow a shared policy, including cybersecurity management, cybersecurity plan guidelines, software security policy, continuous improvement programs, and continuous training programs. 

Our News and Views

Gain Insights Into Automotive Cybersecurity

  • Get CRA-Ready: One Platform to Simplify CRA Compliance
    Blog
    July 14, 2025
    The EU Cyber Resilience Act (CRA) has set cybersecurity requirements focusing on Products with Digital Elements (PDE). This means that manufacturers within the supply chain must monitor and report vulnerabilities once discovered. Otherwise, a fine of a substantial financial penalty will be imposed. In this landscape, what manufacturers need is a solution that offers proactive Vulnerability and SBOM Management.
    Read More
  • CVE-2025-6019: A Privilege Escalation Flaw With Implications for AGL and the Future of SDVs
    Blog
    June 25, 2025
    A recently disclosed Linux flaw shows how seemingly ordinary bugs are starting to affect software-defined vehicles (SDVs). We unpack CVE-2025-6019, its impact on Automotive Grade Linux (AGL), and what it means for in-vehicle cybersecurity.
    Read More
  • Replicating RAMN Using a Single STM32 Board: A Hands-On Exploration
    Blog
    May 26, 2025
    Replicating the core functions of a full-scale Resistant Automotive Miniature Network (RAMN) using just a single STM32 board is a practical, cost-effective way to dive into advanced in-vehicle networking. In this hands-on guide, we run through the step-by-step setup, enabling engineers and enthusiasts alike to prototype resilient automotive communication systems with minimal hardware.
    Read More
  • LockBit Ransomware Group Data Leak: Implications for Automotive Cybersecurity
    Blog
    May 21, 2025
    A recent breach of the LockBit ransomware group exposed chat logs, offering a rare inside look at how victims were targeted and extorted. Automotive companies featured prominently among those attacked. We unpack the key findings and outline practical steps that automotive companies can take to block LockBit attacks or similar incidents.
    Read More
Visit Our Blog

Accelerate Your Automotive Cybersecurity Journey Today

Contact Us