CVE-2015-5611 : Unspecified vulnerability in Uconnect before 15.26.1, as used in certain Fiat Ch

Unspecified vulnerability in Uconnect before 15.26.1, as used in certain Fiat Chrysler Automobiles (FCA) from 2013 to 2015 models, allows remote attackers in the same cellular network to control vehicle movement, cause human harm or physical damage, or modify dashboard settings via vectors related to modification of entertainment-system firmware and access of the CAN bus due to insufficient "Radio security protection," as demonstrated on a 2014 Jeep Cherokee Limited FWD.

Published 2015-07-21 21:05:00

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2015-5611

FCA » Uconnect
Versions up to, including, (<=) 15.26.1
cpe:2.3:a:fca:uconnect:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-5611

EPSS FAQ

9.57%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 92 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-5611

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.3	HIGH	AV:A/AC:L/Au:N/C:C/I:C/A:C	6.5	10.0	NIST
Access Vector: Adjacent Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

References for CVE-2015-5611

https://twitter.com/0xcharlie/status/623171594349842433

Charlie Miller on Twitter: "This update might not sound particularly important, but trust me, if you can, you really should install this one. http://t.co/qhTCrBIho8"
http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM483036/RCLRPT-15V461-9407.pdf
https://twitter.com/0xcharlie/status/623258479730552832

Charlie Miller on Twitter: "Checked patch, looks good. Well done Chrysler! Now, back to a vulnerable version for more testing! http://t.co/RdBOyrRPuc"
http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM483033/RCAK-15V461-4967.pdf

Third Party Advisory;US Government Resource
http://blog.fcanorthamerica.com/2015/07/22/unhacking-the-hacked-jeep/

Unhacking the hacked Jeep® SUV | FCA North America Corporate Blog
https://twitter.com/0xcharlie/status/623195051296993280

Charlie Miller on Twitter: "@SushiDude @nudehaberdasher there is no ota patching here, customer has to do stuff :("
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Hackers Remotely Kill a Jeep on the Highway—With Me in It | WIRED
https://ics-cert.us-cert.gov/advisories/ICSA-15-260-01

Harman-Kardon Uconnect Vulnerability | CISA
http://media.fcanorthamerica.com/newsrelease.do?id=16827&mid=1

FCA US Media - FCA US LLC Releases Software Update to Improve Vehicle Electronic Security and Communications System Enhancements<br />
https://www.youtube.com/watch?v=MK0SrxBC1xs&feature=youtu.be

YouTube
http://www.securityfocus.com/bid/75993

Uconnect CVE-2015-5611 Remote Privilege Escalation Vulnerability

Jump to

Vulnerability Details : CVE-2015-5611

Products affected by CVE-2015-5611

Exploit prediction scoring system (EPSS) score for CVE-2015-5611

CVSS scores for CVE-2015-5611

References for CVE-2015-5611