Unauthorized Access to Clear-Text Contact Data in Skoda MIB3 Infotainment Unit
CVE-2023-28912

5.7MEDIUM

Key Information:

Vendor: Preh Car Connect Gmbh (joynext Gmbh)
Status: Volkswagen Mib3 Infotainment System Mib3 Oi MQb
Vendor: CVE Published:; 28 June 2025

🔔 Create Preh Car Connect Gmbh (joynext Gmbh) Vulnerability Alert

What is CVE-2023-28912?

The MIB3 infotainment unit in Skoda vehicles has a vulnerability that results in the storage of synchronized phone contact information in clear-text format. This issue enables an attacker, whether through code execution on the device or via physical access, to retrieve sensitive contact data belonging to the vehicle owner. It is critical for users of affected units to assess their security measures and understand the risks associated with this vulnerability. A comprehensive list of affected OEM part numbers can be found in the referenced advisories.

Affected Version(s)

Volkswagen MIB3 infotainment system MIB3 OI MQB 0 <= 0304

References

https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishc...

https://pcacybersecurity.com/resources/advisory/vulnerabi...

technical-description

https://asrg.io/security-advisories/vulnerabilities-in-vo...

third-party-advisory

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 28, 2025
Vulnerability Reserved
Mar 27, 2023

Credit

Artem Ivachev from PCA Cyber Security (PCAutomotive)

Mikhail Evdokimov from PCA Cyber Security (PCAutomotive)