CVE-2025-32063 is a security vulnerability identified in the Bosch Infotainment system ECU, notably present in the Nissan Leaf ZE1 manufactured in 2020. The flaw arises from a misconfiguration during the startup phase of a specific systemd service within the ECU. This misconfiguration inadvertently activates developer features that are normally disabled in production environments: specifically, it disables the firewall and launches an SSH server without requiring authentication. This constitutes a CWE-306 (Missing Authentication for Critical Function) vulnerability, allowing unauthorized users to access critical system functions remotely. The vulnerability is exploitable without user interaction or prior authentication, but the attack vector is local or requires network proximity (CVSS vector AV:P). The impact is severe, as unauthorized access could lead to full compromise of the infotainment system, potentially affecting vehicle operation or exposing sensitive data. The CVSS score of 6.8 reflects medium severity with high confidentiality, integrity, and availability impacts. No patches or known exploits have been reported yet, but the presence of an open SSH server with disabled firewall significantly increases attack surface and risk. The vulnerability highlights the importance of secure configuration management in automotive ECUs, especially those connected to vehicle networks and external interfaces.

The vulnerability allows an attacker with local or network proximity access to connect to the infotainment ECU via SSH without authentication, due to the disabled firewall and active SSH server. This unauthorized access can lead to full compromise of the infotainment system, enabling attackers to manipulate system settings, extract sensitive data, or potentially interfere with vehicle functions if the ECU interfaces with other vehicle control systems. The confidentiality of user data stored or processed by the infotainment system is at high risk. Integrity and availability of the system are also compromised, as attackers could modify or disrupt ECU operations. For organizations such as automotive manufacturers, fleet operators, and service providers, this vulnerability could lead to reputational damage, safety risks, and regulatory consequences. The medium CVSS score reflects that exploitation requires proximity, limiting remote mass exploitation but still posing significant risk in scenarios like public charging stations, dealerships, or service centers where attackers might gain network access.

1. Immediate mitigation should focus on network segmentation: isolate the infotainment ECU network from external and less trusted networks to limit attacker access. 2. Disable or restrict SSH access on the ECU until a patch is available, using firewall rules or network controls. 3. Monitor network traffic for unexpected SSH connections or firewall disablement events. 4. Collaborate with Bosch and Nissan to obtain and apply official patches or firmware updates addressing the misconfiguration. 5. Implement strict configuration management and validation processes to prevent developer features from being enabled in production environments. 6. Conduct security audits and penetration testing on automotive ECUs to detect similar misconfigurations proactively. 7. Educate service personnel and users about the risks of connecting vehicles to untrusted networks or devices. 8. Employ intrusion detection systems capable of recognizing anomalous behavior on vehicle networks.