CVE-2025-32058 is a stack-based buffer overflow vulnerability (CWE-121) discovered in the Bosch Infotainment system ECU, which integrates an RH850 microcontroller module responsible for CAN bus communication. The RH850 module communicates with the infotainment main SoC via a custom protocol over the INC interface. The vulnerability exists in the request processing logic on the RH850 side, where improper bounds checking allows a buffer overflow when handling specially crafted protocol requests. Exploitation requires the attacker to have prior code execution on the infotainment main SoC, which is a prerequisite to trigger the overflow on the RH850 module. Successful exploitation enables arbitrary code execution on the RH850, allowing the attacker to send arbitrary CAN messages over the vehicle's CAN bus. This capability can be leveraged to manipulate critical vehicle functions controlled via CAN, such as braking, steering, or engine management, potentially leading to dangerous scenarios. The vulnerability was first identified in the Nissan Leaf ZE1 model manufactured in 2020, indicating real-world deployment. The CVSS v3.1 score of 9.3 reflects the critical nature of the flaw, with low attack complexity, no privileges required, no user interaction, and a scope change affecting multiple components. No public exploits or patches are currently available, highlighting the need for proactive mitigation and monitoring.

The impact of CVE-2025-32058 is severe for automotive manufacturers, suppliers, and end-users. Exploitation can lead to full compromise of the RH850 module controlling CAN bus communications, enabling attackers to inject arbitrary CAN messages. This can result in unauthorized control over vehicle subsystems such as braking, acceleration, steering, and other safety-critical functions, posing significant safety risks to drivers and passengers. The confidentiality of vehicle data can be compromised, and integrity and availability of vehicle control systems can be severely disrupted. For organizations, this vulnerability threatens brand reputation, regulatory compliance, and could lead to costly recalls or legal liabilities. The requirement for prior code execution on the infotainment main SoC means attackers must first breach infotainment security, but once achieved, the attack surface expands dramatically. The vulnerability affects vehicles using Bosch infotainment ECUs with the RH850 module, notably Nissan Leaf ZE1 models from 2020, but potentially other vehicles using similar hardware and software architectures. The lack of available patches increases the urgency for mitigation.

To mitigate CVE-2025-32058, organizations should implement a multi-layered approach: 1) Apply any available Bosch or OEM patches promptly once released; 2) Restrict and harden access to the infotainment main SoC to prevent initial code execution, including disabling unnecessary interfaces and services, enforcing strict authentication, and applying secure boot and runtime integrity checks; 3) Employ network segmentation within the vehicle architecture to isolate the infotainment system from critical CAN bus domains, limiting the impact of a compromised infotainment ECU; 4) Monitor CAN bus traffic for anomalous or unauthorized messages that could indicate exploitation attempts; 5) Collaborate with Bosch and automotive OEMs to conduct thorough security assessments and penetration testing of infotainment systems; 6) For fleet operators, implement intrusion detection systems tailored for automotive networks and maintain up-to-date incident response plans specific to vehicle cybersecurity; 7) Educate end-users on the risks of connecting untrusted devices or software to infotainment systems to reduce attack vectors.