Critical RCE Flaw (CVSS 9.8) in QNX SDP Exposes Automotive & IoT Systems to Attack!
Ddos 
The QNX Software Development Platform (SDP)—a foundation of many embedded and real-time systems—has been found vulnerable to a critical remote code execution (RCE) flaw in its PCX image codec component. Tracked as CVE-2025-2474, this vulnerability carries a CVSS v3.1 score of 9.8, signaling the highest level of severity.
According to QNX’s security advisory, the vulnerability “could potentially allow a successful attacker to cause a denial-of-service condition or execute code in the context of the process using the image codec.”
The flaw resides in the way QNX SDP processes maliciously crafted PCX image files. If an attacker can get the system to parse such a file, they could crash the process—or worse, execute arbitrary code within the context of that process.
“To exploit this vulnerability, an attacker must induce a target system to parse a maliciously crafted PCX format image file,” the advisory explains.
Although exploitation requires some form of input delivery (e.g., an uploaded file or remotely fetched image), the risk is especially pronounced in automotive, industrial, or IoT systems where image codecs may be used in display pipelines.
QNX notes: “An unauthenticated attacker could cause a denial-of-service condition or execute code in the context of the process using the image codec.”
This vulnerability was responsibly disclosed by Haowei Yang and Yingjie Cao from the 360 Vulnerability Research Institute, whose contributions were acknowledged by QNX.
This vulnerability affects the following platforms:
- QNX SDP 8.0
- QNX SDP 7.1
- QNX SDP 7.0
However, systems not using the PCX image codec are not vulnerable:
“This vulnerability is mitigated in QNX-based systems that do not use the image codec component.”
QNX provides software updates that resolve the vulnerability by patching the image codec component. These are available via the QNX Software Center and vary by platform:
- SDP 8.0: com.qnx.qnx800.target.screen.img_codecs → version 0.0.2.00108T202504090902L
- SDP 7.1: com.qnx.qnx710.target.screen.img_codecs → version 0.0.7.00784T202503071321L
- SDP 7.0: com.qnx.sdp.target.screen.img_codecs → version 7.0.7150.L202503031527
In addition to patching, QNX advises running image codec processes with least privilege:
“System integrators should consider running the target systems with the processes using the image codec set to a non-superuser mode, restricting it to only the minimum required system access and abilities.”
Related Posts:
- Critical Vulnerabilities in QNX Software Development Platform Image Codecs Expose Systems to Attacks
- CVE-2024-35213: Critical Vulnerability Discovered in BlackBerry QNX SDP
- Qualcomm’s March 2025 Security Bulletin Addresses Critical Flaws Across Multiple Products
- Qualcomm Patches 3 Critical Flaws in January 2024 Security Bulletin
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
