Replay Attack Vulnerability in KIA-branded Aftermarket Keyless Entry Systems
CVE-2025-6029

9.4CRITICAL

Key Information:

Vendor

Kia

Status
Aftermarket Generic Smart Keyless Entry System
Vendor
CVE Published:
13 June 2025

Badges

πŸ“ˆ Score: 109πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2025-6029?

CVE-2025-6029 is a vulnerability identified in KIA-branded aftermarket keyless entry systems, specifically targeting the generic smart keyless entry system distributed primarily in Ecuador. This vulnerability exploits the use of fixed learning codes in the Key Fob Transmitter, which relies on a single code to lock and another to unlock the vehicle. Such a design flaw allows malicious actors to launch replay attacks, where intercepted signals from the key fob can be reused to gain unauthorized access to vehicles. Consequently, organizations or individuals using these keyless entry systems risk significant vehicle theft and unauthorized entry, which can lead to financial loss or compromised security.

Potential Impact of CVE-2025-6029

  1. Vehicle Theft: The primary concern surrounding this vulnerability is the risk of vehicle theft. By exploiting the replay attack, criminals can easily unlock and start vehicles without the legitimate key fob, resulting in a direct loss for vehicle owners and manufacturers.

  2. Unauthorized Access to Sensitive Areas: Beyond impacting individual vehicle owners, the compromised keyless entry systems could allow unauthorized access to secure locations where the vehicles are parked, potentially leading to larger-scale security breaches.

  3. Implications for Consumer Trust: The discovery of this vulnerability could undermine consumer trust in KIA-branded products, particularly in the realm of vehicle security. A decline in confidence could affect sales and brand reputation, with long-term repercussions for the manufacturer and associated retailers.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Aftermarket Generic Smart Keyless Entry System KIA Ecuador Key Fobs version 2022/2023

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-6029 - Proof of Concept

News Articles

favicon imageThe Cyber Express

KIA Keyless Entry Vulnerability CVE-2025-6029 Reported

Researcher reports CVE-2025-6029, a flaw in KIA Ecuador keyless entry systems, exposing thousands of vehicles to theft via replay, brute force, and cloning.

References

https://revers3everything.com/unlocking-thousands-of-cars...
related
https://asrg.io/security-advisories/cve-2025-6029-kia-bra...
third-party-advisory

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • πŸ“°

    First article discovered by The Cyber Express

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Danilo Erazo
JSON
.