CVE-2025-28169 is a high-severity vulnerability affecting the BYD QIN PLUS DM-i vehicle's Dilink OS versions from v3.0_13.1.7.2204050.1 through v3.0_13.1.7.2312290.1_0. The vulnerability arises because the vehicle's system broadcasts data to the manufacturer's cloud server without encryption. This lack of encryption allows an attacker positioned on the network path to perform a man-in-the-middle (MitM) attack. By intercepting and potentially modifying the unencrypted broadcast data, an attacker could compromise the confidentiality, integrity, and availability of communications between the vehicle and the cloud. The CVSS v3.1 base score of 8.1 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, no privileges or user interaction required, but with high attack complexity. The CWE-295 classification indicates issues related to improper certificate validation or authentication mechanisms, which likely contribute to the insecure transmission. Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk due to the critical nature of vehicle communications and potential for remote exploitation. The absence of encryption in broadcast communications could allow attackers to inject malicious commands, disrupt vehicle operations, or exfiltrate sensitive data. Given the integration of connected vehicles into broader IoT and telematics ecosystems, exploitation could have cascading effects on user safety and privacy.

For European organizations, especially those involved in automotive manufacturing, fleet management, or connected vehicle services, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized access to vehicle telemetry and control systems, risking driver safety and data privacy. Fleet operators could experience operational disruptions, leading to financial losses and reputational damage. Additionally, compromised vehicle communications might be leveraged as entry points for broader network intrusions, threatening enterprise IT infrastructure. The impact extends to regulatory compliance, as European data protection laws (e.g., GDPR) impose strict requirements on safeguarding personal and telemetry data. Failure to secure these communications could result in legal penalties and loss of customer trust. Furthermore, the vulnerability could undermine confidence in connected vehicle technologies, slowing adoption and innovation within the European automotive sector.

To mitigate this vulnerability, organizations should prioritize the following actions: 1) Coordinate with BYD or authorized service providers to obtain and deploy firmware updates or patches that enable encryption for broadcast communications to the cloud server. 2) Implement network-level protections such as VPN tunnels or secure transport protocols (e.g., TLS) to safeguard vehicle-to-cloud communications where possible. 3) Employ network monitoring tools to detect anomalous traffic patterns indicative of MitM attacks or data interception attempts. 4) For fleet operators, segment vehicle communication networks from critical enterprise systems to contain potential breaches. 5) Conduct regular security assessments and penetration testing focused on connected vehicle components to identify and remediate similar weaknesses. 6) Engage in threat intelligence sharing with automotive cybersecurity communities to stay informed about emerging exploits and mitigation strategies. 7) Educate end-users and operators about the risks of connecting vehicles to untrusted networks and encourage secure usage practices. These measures go beyond generic advice by emphasizing collaboration with vendors, network segmentation, and proactive detection tailored to connected vehicle environments.