CVE-2025-5476 is a medium-severity vulnerability affecting the Sony XAV-AX8500, a multimedia receiver device commonly used in automotive environments. The vulnerability stems from improper isolation or compartmentalization within the device's Bluetooth implementation, specifically related to the handling of ACL-U (Asynchronous Connection-Less Unicast) links. The flaw is due to a lack of proper L2CAP (Logical Link Control and Adaptation Protocol) channel isolation, which allows an attacker who is network-adjacent—meaning within Bluetooth range—to bypass authentication mechanisms on the device. Notably, exploitation does not require any prior authentication or user interaction, making it easier for an attacker to leverage this vulnerability. The attacker can potentially gain unauthorized access to the device’s Bluetooth interface, which could lead to limited confidentiality, integrity, and availability impacts. The CVSS v3.0 score is 6.3, reflecting a medium severity level, with the vector indicating low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability at a low level. There are no known exploits in the wild at this time, and no patches have been published yet. The vulnerability was identified and assigned by the Zero Day Initiative (ZDI) under the identifier ZDI-CAN-26284. The affected version is specifically 2.00.01 of the Sony XAV-AX8500 firmware or software. The underlying weakness is categorized under CWE-653, which relates to improper isolation or compartmentalization, a design flaw that can allow unauthorized access between components that should be isolated.

For European organizations, the impact of this vulnerability depends largely on the prevalence of the Sony XAV-AX8500 device within their vehicle fleets or employee vehicles. Given that the device is an automotive multimedia receiver with Bluetooth connectivity, exploitation could allow attackers to bypass Bluetooth authentication and potentially access or manipulate the device’s Bluetooth communications. This could lead to unauthorized access to paired devices or data streams, potentially exposing sensitive information or enabling further attacks on connected systems. While the direct impact on critical infrastructure or enterprise IT systems is limited, organizations with large fleets of vehicles equipped with this device—such as logistics, transportation, or delivery companies—could face operational disruptions or data leakage risks. Additionally, the vulnerability could be leveraged as a foothold for lateral attacks within vehicles or to compromise driver safety systems if integrated. The lack of authentication requirement and no user interaction needed increases the risk of opportunistic attacks in environments where attackers can get physically close to vehicles, such as parking lots or loading docks. However, the overall impact remains medium due to the limited scope of the device and the low-level impact on confidentiality, integrity, and availability.

Monitor for firmware updates or security patches from Sony addressing this vulnerability and apply them promptly once available. Implement physical security controls to restrict unauthorized proximity to vehicles equipped with the Sony XAV-AX8500, such as secure parking areas or controlled access zones. Disable Bluetooth connectivity on the device when not in use or when vehicles are parked in unsecured locations to reduce attack surface. Employ Bluetooth monitoring tools capable of detecting unusual connection attempts or unauthorized devices within organizational premises. Educate employees and fleet operators about the risks of Bluetooth vulnerabilities and encourage vigilance regarding suspicious device behavior. Where possible, replace or upgrade devices running the affected firmware version 2.00.01 with newer versions or alternative products that have addressed this vulnerability. Coordinate with automotive and fleet management teams to inventory affected devices and assess exposure within the organization.