CVE-2024-51072 identifies a vulnerability in the instrument cluster ECU of the KIA Seltos vehicle, specifically in software and hardware version 1.0. The issue involves the UDS (Unified Diagnostic Services) protocol's ECUReset service, which can be invoked by an attacker to cause a Denial of Service (DoS) by resetting the ECU, thereby disrupting the instrument cluster's operation. The vulnerability is notable because the ECUReset service does not require SecurityAccess or authentication, allowing unauthenticated attackers to trigger the reset. This lack of authentication is classified under CWE-346 (Origin Validation Error). However, the supplier disputes the vulnerability's validity, arguing that the test environment was unrealistic—testing an isolated ECU outside the vehicle context—and that the ECUReset specification does not permit manufacturers to require authentication, implying the behavior is by design or constrained by standards. The CVSS 3.1 base score is 5.3, with vector AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, indicating the attack requires physical proximity (AV:P), low attack complexity, no privileges or user interaction, and impacts availability with a scope change. No patches or mitigations have been published yet, and no known exploits are reported in the wild. This vulnerability highlights potential risks in automotive ECUs where diagnostic services may be exposed without sufficient authentication controls.

The primary impact of CVE-2024-51072 is a Denial of Service condition on the KIA Seltos instrument cluster, which could disable or disrupt critical vehicle dashboard functions such as speedometer, fuel gauge, warning lights, and other driver information displays. This can lead to driver confusion or distraction, potentially increasing the risk of accidents. Although the vulnerability does not affect confidentiality or integrity, the loss of availability of the instrument cluster is significant for vehicle safety and operational awareness. The requirement for physical or local network access limits remote exploitation but does not eliminate risk, especially in scenarios where attackers gain proximity or access to the vehicle's diagnostic interface (e.g., during maintenance or via compromised telematics). The disputed nature of the vulnerability and lack of known exploits reduce immediate risk, but the potential for misuse in targeted attacks or by malicious insiders remains. Organizations operating fleets of KIA Seltos vehicles or related automotive service providers should consider the operational impact of instrument cluster DoS and prepare for incident response. The absence of patches means mitigation relies on access controls and monitoring.

1. Restrict physical and network access to the vehicle's diagnostic interfaces, especially the UDS protocol endpoints, by implementing strict access controls and secure storage of diagnostic tools. 2. Employ network segmentation within the vehicle's internal network (CAN bus or Ethernet) to isolate the instrument cluster ECU from external or less trusted components. 3. Monitor vehicle diagnostic communication for unusual ECUReset requests or repeated reset attempts that could indicate exploitation attempts. 4. Coordinate with KIA and authorized dealers to stay informed about any forthcoming firmware updates or patches addressing this vulnerability. 5. For fleet operators, implement policies to control and log all maintenance and diagnostic activities to detect unauthorized access. 6. Consider additional physical security measures to prevent unauthorized access to the vehicle's OBD-II port or telematics units. 7. Engage with automotive cybersecurity specialists to assess the risk in the specific operational environment and develop tailored detection and response strategies. 8. Advocate for future ECU and UDS protocol implementations to enforce authentication and authorization on critical diagnostic services such as ECUReset to prevent unauthenticated resets.