
Kaspersky Labs has unveiled critical vulnerabilities in the Mercedes-Benz User Experience (MBUX) infotainment system, shedding light on potential security risks in connected vehicles. Their report uncovers exploitable weaknesses that could compromise user data, vehicle functionality, and even safety.
The MBUX infotainment system represents the cutting edge of automotive technology, integrating multimedia, communication, and diagnostic capabilities. Kaspersky researchers analyzed its first-generation architecture, uncovering significant vulnerabilities in overlooked subsystems, including diagnostics (CAN and UDS protocols), USB interfaces, and custom interprocess communication (IPC).
Kaspersky’s research exposed multiple critical flaws, including:
- Privilege Escalation via Polkit (CVE-2021-4034): This outdated system allowed attackers to gain administrative rights, modify network settings, and bypass security features. The filesystem lacked integrity protection, enabling attackers to remount it with write permissions and alter startup scripts.
- Heap Buffer Overflow in Data Decoding (CVE-2024-37601): The UserData service failed to process UTF-8 strings properly, leading to crashes and system freezes that required hard resets. Kaspersky described this as a vulnerability that disrupts the UserData service during data import, freezing the system entirely.
- SQLite Vulnerabilities (CVE-2023-34399): Exploitable flaws in SQLite-based databases allowed attackers to inject malicious code via user profile imports, creating a persistent crash loop in the CAPServer service.
The report highlights real-world attack vectors, including:
- Physical Access via USB: Attackers could bypass anti-theft mechanisms by injecting CAN messages or exploiting USB services to compromise the system.
- Remote Access through Diagnostics: Exposed TCP ports enabled attackers to inject unauthorized commands, potentially gaining control over critical vehicle functions like engine shutdown and door locking.

Researchers also demonstrated heap spraying techniques to gain full control of execution, exploiting poorly sanitized inputs in SQLite databases.
Mercedes-Benz Group AG prompts handling of all the identified vulnerabilities.
Related Posts:
- Kaspersky Report: Criminals earning millions through mining malware
- Proposed US Ban on Chinese Tech Impacts Autonomous Vehicles
- Critical Zero-Day Automotive Systems Vulnerabilities Exposed