Insecure Direct Object Reference in Vehicle Management System by Vendor X
CVE-2025-11690

8.5HIGH

Key Information:

Vendor: Cfmoto
Status: Ride
Vendor: CVE Published:; 4 November 2025

What is CVE-2025-11690?

The vulnerability allows unauthorized users to access sensitive vehicle information belonging to others by exploiting the vehicleId parameter. Attackers can retrieve critical data, including GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics. This highlights a significant server-side authorization oversight that must be addressed to protect user privacy and data integrity.

Affected Version(s)

RIDE 1

References

https://advisories.ncsc.nl/2025/ncsc-2025-0350.html

third-party-advisory

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2025
Vulnerability Reserved
Oct 13, 2025

JSON

Cfmoto

What is CVE-2025-11690?

Affected Version(s)

References

CVSS V3.1

Timeline