CVE-2025-5479 is a high-severity heap-based buffer overflow vulnerability affecting the Sony XAV-AX8500, a popular in-car multimedia receiver system. The flaw resides in the implementation of the Bluetooth Audio/Video Control Transport Protocol (AVCTP) within the device's firmware version 2.00.01. Specifically, the vulnerability arises due to improper validation of the length of user-supplied data before copying it into a heap-based buffer. This lack of bounds checking allows an attacker who can pair a malicious Bluetooth device with the target system to overflow the heap buffer, potentially leading to arbitrary code execution within the context of the running process. Exploitation does not require user interaction beyond the initial pairing, but the attacker must be network-adjacent, meaning physical proximity is necessary to establish a Bluetooth connection. The vulnerability impacts confidentiality, integrity, and availability, as successful exploitation could allow an attacker to execute arbitrary code, potentially taking full control of the device or disrupting its operation. Although no known exploits are currently reported in the wild, the CVSS 3.0 base score of 7.5 reflects the high impact and moderate complexity of exploitation due to the required pairing capability. The vulnerability was publicly disclosed on June 21, 2025, and is tracked under CWE-122 (Heap-based Buffer Overflow). No patches have been released at the time of this report, and the vulnerability was initially reserved on June 2, 2025, by the Zero Day Initiative (ZDI) under the identifier ZDI-CAN-26290.

For European organizations, the impact of this vulnerability is significant, particularly for those relying on Sony XAV-AX8500 units in fleet vehicles, corporate cars, or logistics operations. Exploitation could lead to unauthorized control over the multimedia system, potentially allowing attackers to disrupt navigation, communication, or infotainment services. This could result in operational downtime, loss of productivity, and in worst cases, safety risks if critical vehicle functions are affected indirectly. Additionally, if the device is connected to broader vehicle networks or telematics systems, the compromise could serve as a pivot point for further attacks on enterprise infrastructure. The confidentiality of data transmitted or stored on the device could also be at risk, including Bluetooth pairing information and potentially sensitive user data. Given the requirement for Bluetooth pairing, the threat is more pronounced in environments where physical access or proximity to vehicles is feasible, such as parking lots, transport hubs, or company premises.

1. Immediate mitigation should focus on restricting Bluetooth pairing capabilities to trusted devices only, enforcing strict pairing policies, and disabling Bluetooth when not in use. 2. Organizations should monitor for unusual Bluetooth pairing attempts or connections, especially in fleet vehicles or corporate environments. 3. Implement physical security controls to limit unauthorized access or proximity to vehicles equipped with the affected devices. 4. Coordinate with Sony for firmware updates or patches addressing this vulnerability; prioritize deployment once available. 5. Consider network segmentation for vehicle infotainment systems to limit potential lateral movement in case of compromise. 6. Employ endpoint detection solutions capable of monitoring anomalous behavior on vehicle systems, if supported. 7. Educate staff and drivers about the risks of pairing unknown Bluetooth devices and encourage reporting of suspicious activity. 8. For critical operations, evaluate alternative multimedia systems or temporary disabling of Bluetooth AVCTP features until a patch is released.