Logic Flaw in Volkswagen's MIB3 Infotainment System
CVE-2023-28904

5.2MEDIUM

Key Information:

Vendor: Preh Car Connect Gmbh (joynext Gmbh)
Status: Volkswagen Mib3 Infotainment System Mib3 Oi MQb
Vendor: CVE Published:; 28 June 2025

🔔 Create Preh Car Connect Gmbh (joynext Gmbh) Vulnerability Alert

What is CVE-2023-28904?

A logic flaw in the bootloader of Volkswagen's MIB3 infotainment system creates a potential security risk. This vulnerability allows an attacker with physical access to the MIB3 Electronic Control Unit (ECU) to bypass crucial firmware signature verification processes. If exploited, this could enable the attacker to execute arbitrary code during the boot process, potentially compromising the integrity of the infotainment system. Users should be aware of the risks and consider implementing security measures to mitigate unauthorized access.

Affected Version(s)

Volkswagen MIB3 infotainment system MIB3 OI MQB 0 <= 0304

References

https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishc...

https://pcacybersecurity.com/resources/advisory/vulnerabi...

technical-description

https://asrg.io/security-advisories/vulnerabilities-in-vo...

third-party-advisory

CVSS V3.1

Score:

5.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 28, 2025
Vulnerability Reserved
Mar 27, 2023

Credit

Danila Parnishchev from PCA Cyber Security (PCAutomotive)

Polina Smirnova from PCA Cyber Security (PCAutomotive)