CVE-2025-5477 is a high-severity heap-based buffer overflow vulnerability affecting the Sony XAV-AX8500, a popular in-car multimedia receiver. The flaw resides in the device's implementation of the Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) protocol. Specifically, the vulnerability arises due to improper validation of the length of user-supplied data before copying it into a heap-based buffer. This lack of bounds checking allows a network-adjacent attacker to craft malicious Bluetooth packets that overflow the buffer, leading to arbitrary code execution within the context of the elysian-bt-service process. Exploitation requires the attacker to first pair a malicious Bluetooth device with the target system, which implies some level of proximity and interaction but no user interface interaction or prior authentication is needed beyond pairing. Successful exploitation could allow an attacker to execute arbitrary code remotely, potentially taking full control of the affected device. The vulnerability is present in version 2.00.01 of the Sony XAV-AX8500 firmware. The CVSS v3.0 base score is 7.5, reflecting high impact on confidentiality, integrity, and availability, with attack vector being adjacent network, high attack complexity, no privileges required, and no user interaction needed. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved and published in June 2025 and was tracked under ZDI-CAN-26286 by the Zero Day Initiative. The CWE classification is CWE-122 (Heap-based Buffer Overflow), a common and dangerous memory corruption issue that can lead to remote code execution and system compromise.

For European organizations, the impact of this vulnerability is significant, particularly for those relying on Sony XAV-AX8500 devices in their vehicle fleets or corporate vehicles. Exploitation could lead to unauthorized remote code execution, allowing attackers to compromise the device's software environment, potentially gaining access to sensitive data, disrupting multimedia and communication functions, or pivoting to other connected systems within the vehicle or enterprise network. This could affect confidentiality by exposing stored or transmitted data, integrity by allowing manipulation of device operations, and availability by causing device crashes or denial of service. Given the Bluetooth vector, attackers would need physical proximity to pair devices, which limits remote exploitation but increases risk in public or shared vehicle environments. The vulnerability could be leveraged in targeted attacks against executives or high-value assets using vehicles equipped with this device, or in supply chain attacks if exploited at scale. Additionally, compromised devices could serve as entry points into broader corporate networks if connected via USB or other interfaces. The lack of patches increases risk until mitigations are applied. Overall, the vulnerability poses a tangible threat to operational continuity and data security for European organizations using affected Sony multimedia systems.

Immediately restrict physical access to vehicles equipped with Sony XAV-AX8500 devices to trusted personnel only, minimizing opportunities for malicious Bluetooth pairing. Disable Bluetooth pairing or visibility on the device when not actively in use to reduce attack surface. Implement strict Bluetooth device whitelisting policies where possible, allowing pairing only with known, trusted devices. Monitor Bluetooth connection logs on vehicles for unauthorized or suspicious pairing attempts. Isolate affected devices from critical enterprise networks to prevent lateral movement in case of compromise. Engage with Sony support channels to obtain firmware updates or patches as soon as they become available and prioritize their deployment. Consider deploying network segmentation and endpoint detection solutions in vehicle management systems to detect anomalous behavior originating from compromised multimedia devices. Educate drivers and fleet managers about the risks of pairing unknown Bluetooth devices and enforce policies against unauthorized device connections.