Command Injection Vulnerability in MIB3 Infotainment by VW
CVE-2023-28906

7.8HIGH

Key Information:

Vendor: Preh Car Connect Gmbh (joynext Gmbh)
Status: Volkswagen Mib3 Infotainment System Mib3 Oi MQb
Vendor: CVE Published:; 28 June 2025

🔔 Create Preh Car Connect Gmbh (joynext Gmbh) Vulnerability Alert

What is CVE-2023-28906?

A command injection vulnerability resides within the networking service of the MIB3 infotainment system, putting at risk vehicles equipped with this unit. An attacker with access to the system can exploit this vulnerability to escalate privileges, gaining administrative access and potentially compromising vehicle operation. The issue was notably identified in the Skoda Superb III model, though other units with specific OEM part numbers are also affected. This risk underscores the need for robust security measures in automotive infotainment systems.

Affected Version(s)

Volkswagen MIB3 infotainment system MIB3 OI MQB 0 <= 0304

References

https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishc...

https://pcacybersecurity.com/resources/advisory/vulnerabi...

technical-description

https://asrg.io/security-advisories/vulnerabilities-in-vo...

third-party-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 28, 2025
Vulnerability Reserved
Mar 27, 2023

Credit

Mikhail Evdokimov from PCA Cyber Security (PCAutomotive)

Artem Ivachev from PCA Cyber Security (PCAutomotive)