CVE-2025-63896 identifies a security vulnerability in the Bluetooth Human Interface Device (HID) profile implementation of the JXL 9 Inch Car Android Double Din Player running Android version 12.0. The flaw allows an attacker to spoof a Bluetooth HID device and inject arbitrary keystrokes into the system. This can lead to unauthorized commands being executed on the device, potentially altering system behavior or input without user consent. The attack vector requires the attacker to be within Bluetooth range and to successfully pair the spoofed device, which involves user interaction, such as accepting a pairing request. The vulnerability is classified under CWE-306, indicating an authorization bypass or insufficient access control issue. The CVSS v3.1 base score is 3.5, reflecting low severity primarily because the attack requires user interaction and does not compromise confidentiality or availability, only integrity to a limited extent. No patches or known exploits are currently documented, indicating that the vulnerability is newly disclosed and not yet actively exploited. The affected product is a niche automotive infotainment system, limiting the scope of impact to users of this specific hardware and software combination. However, the ability to inject keystrokes could be leveraged for malicious activities such as unauthorized control of the device or triggering unsafe operations while driving.

For European organizations, the impact of this vulnerability is generally limited due to the specific affected product and the low severity score. However, organizations that operate fleets of vehicles equipped with the JXL 9 Inch Car Android Double Din Player could face risks of unauthorized device control or manipulation of vehicle infotainment systems. This could lead to distraction or unsafe conditions for drivers if exploited. The integrity of the infotainment system could be compromised, potentially allowing attackers to inject commands or manipulate inputs. Confidentiality and availability are not directly impacted. The requirement for user interaction and physical proximity reduces the likelihood of widespread exploitation. Nonetheless, in sectors such as transportation, logistics, or automotive services where such devices are deployed, this vulnerability could pose operational risks and safety concerns.

1. Disable Bluetooth HID device pairing on the JXL 9 Inch Car Android Double Din Player when not in use to reduce exposure. 2. Monitor for firmware or software updates from the vendor addressing this vulnerability and apply patches promptly once available. 3. Educate drivers and users to avoid accepting pairing requests from unknown or suspicious Bluetooth devices. 4. Implement physical security controls to limit unauthorized access to vehicles equipped with the affected device. 5. Where possible, restrict Bluetooth device pairing capabilities through device configuration or management tools. 6. Conduct regular security assessments of in-vehicle infotainment systems to detect unauthorized devices or anomalous behavior. 7. Consider network segmentation or isolation of vehicle infotainment systems from critical enterprise networks to limit potential lateral movement.