CVE-2025-32058 is a stack-based buffer overflow vulnerability (CWE-121) found in the Bosch Infotainment system ECU, which integrates an RH850 microcontroller module responsible for CAN bus communication. The RH850 module interfaces with the infotainment main SoC via a custom INC protocol. The vulnerability arises during the processing of protocol requests on the V850 side, allowing an attacker who has already gained code execution on the infotainment main SoC to escalate privileges and execute arbitrary code on the RH850 module. This escalation enables the attacker to send arbitrary CAN messages over the vehicle's CAN bus, potentially manipulating critical vehicle functions such as braking, steering, or engine control. The flaw was first identified in the Nissan Leaf ZE1 model manufactured in 2020, indicating that affected vehicles have been in circulation for several years. The vulnerability has a CVSS v3.1 score of 9.3 (critical), with an attack vector classified as local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The scope is changed (S:C), reflecting that the vulnerability affects components beyond the initially compromised system. The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), underscoring the potential for severe consequences if exploited. No known exploits have been reported in the wild yet, and no patches are currently linked, emphasizing the need for proactive mitigation. The vulnerability highlights the risks inherent in interconnected automotive ECUs, especially those bridging infotainment systems and critical vehicle control networks.

For European organizations, particularly automotive manufacturers, suppliers, and fleet operators, this vulnerability poses a significant risk. Exploitation could lead to unauthorized control over vehicle functions, resulting in safety hazards, potential accidents, and loss of life. The ability to send arbitrary CAN messages can disrupt vehicle operation, compromise data confidentiality, and damage brand reputation. Regulatory compliance risks also arise, as European Union regulations on automotive cybersecurity and safety (e.g., UNECE WP.29) require manufacturers to address such vulnerabilities promptly. Additionally, the presence of this vulnerability in widely used electric vehicles like the Nissan Leaf ZE1 means that repair shops, dealerships, and end-users across Europe could be affected. The potential for remote exploitation is limited due to the local attack vector, but physical or network access to the infotainment system could be leveraged by attackers, including insiders or through compromised infotainment apps. The impact extends to connected vehicle ecosystems, where compromised CAN bus messages could propagate risks to broader transportation infrastructure.

1. Bosch and affected OEMs should prioritize developing and distributing firmware patches for the infotainment ECU and RH850 module to eliminate the buffer overflow vulnerability. 2. Until patches are available, restrict physical and network access to the infotainment system by disabling unnecessary interfaces (e.g., USB, Bluetooth, Wi-Fi) and enforcing strict access controls. 3. Implement runtime integrity checks and anomaly detection on the CAN bus to identify and block unauthorized or suspicious messages indicative of exploitation attempts. 4. Employ secure coding practices and rigorous protocol validation in future infotainment and ECU software to prevent similar buffer overflow issues. 5. Conduct thorough security audits and penetration testing on vehicle infotainment systems, focusing on inter-module communication protocols like INC. 6. Educate dealership and maintenance personnel about the risks and signs of infotainment system compromise. 7. Collaborate with automotive cybersecurity information sharing organizations in Europe to monitor emerging threats and share mitigation strategies. 8. Encourage end-users to update vehicle software promptly once patches are released and avoid installing untrusted infotainment applications.