CVE-2025-5475 is a high-severity vulnerability identified in the Sony XAV-AX8500, a multimedia receiver device commonly used in vehicles. The vulnerability stems from an integer overflow or wraparound condition within the Bluetooth packet handling component of the device's firmware, specifically in version 2.00.01. The flaw arises due to improper validation of user-supplied data in Bluetooth packets, which leads to an integer overflow before memory is written. This memory corruption can be exploited by an attacker to execute arbitrary code within the context of the elysian-bt-service process, which handles Bluetooth communications on the device. Exploitation requires the attacker to be network-adjacent, meaning they must be within Bluetooth range and successfully pair a malicious Bluetooth device with the target system. No user interaction or prior authentication is required beyond the pairing step, which is a significant barrier but not insurmountable given the nature of Bluetooth pairing protocols. The vulnerability has a CVSS v3.0 base score of 7.5, reflecting high impact on confidentiality, integrity, and availability, with attack vector classified as adjacent network and high attack complexity. No known exploits are currently reported in the wild, and no patches have been published at the time of analysis. The vulnerability was assigned by ZDI under identifier ZDI-CAN-26283 and publicly disclosed on June 21, 2025. The integer overflow (CWE-190) can lead to remote code execution, potentially allowing attackers to take control of the affected device, manipulate its functions, or use it as a pivot point for further attacks within the vehicle or connected networks.

For European organizations, the impact of this vulnerability is primarily relevant to sectors relying on Sony XAV-AX8500 devices in their vehicle fleets or embedded systems, such as transportation companies, logistics providers, and automotive service providers. Successful exploitation could lead to unauthorized control over vehicle infotainment systems, potentially compromising sensitive data such as navigation history, contacts, or paired devices. Moreover, remote code execution could allow attackers to disrupt vehicle operations or use the compromised device as a foothold for lateral movement into broader corporate networks if connected via telematics or other interfaces. This risk is heightened in organizations with large fleets or critical transport infrastructure. The confidentiality, integrity, and availability of vehicle systems could be severely impacted, leading to operational disruptions, data breaches, or safety concerns. Additionally, the vulnerability could be exploited for espionage or sabotage in strategic sectors, especially where vehicles are used in critical supply chains or government operations.

Given the absence of an official patch, European organizations should implement layered mitigations tailored to the Bluetooth attack vector and device usage context. First, restrict physical and Bluetooth access to vehicles equipped with the Sony XAV-AX8500 by enforcing strict pairing policies, such as disabling Bluetooth pairing when the vehicle is unattended or outside controlled environments. Employ Bluetooth device whitelisting to prevent unauthorized devices from pairing. Monitor Bluetooth connection logs for unusual pairing attempts or new devices. Where possible, disable Bluetooth functionality entirely if not required operationally. For fleet management, implement network segmentation to isolate vehicle infotainment systems from critical corporate networks, limiting potential lateral movement. Engage with Sony and authorized vendors to obtain firmware updates or patches as soon as they become available. Additionally, conduct regular security assessments of vehicle systems and update organizational policies to include Bluetooth security hygiene. Training drivers and operators on the risks of pairing unknown devices can further reduce exploitation likelihood.