CVE-2025-63896 is a security vulnerability identified in the Bluetooth Human Interface Device (HID) profile implementation of the JXL 9 Inch Car Android Double Din Player running Android 12.0. The flaw allows an attacker to spoof a Bluetooth HID device and inject arbitrary keystrokes into the system. This means that an attacker within Bluetooth range can impersonate a trusted input device such as a keyboard or mouse and send malicious commands to the infotainment system without user consent. The vulnerability arises from insufficient validation or authentication of the Bluetooth HID device, enabling unauthorized input injection. Since the device runs Android 12.0, the attack surface includes any connected vehicle or user interface relying on this hardware. The lack of a CVSS score and absence of known exploits in the wild suggest it is a recently discovered issue, with limited public exploitation information. However, the potential for remote command injection via Bluetooth HID spoofing poses risks to system integrity, availability, and possibly confidentiality if commands can manipulate connected systems or data. No patches or updates have been published yet, increasing the urgency for mitigation through operational controls. This vulnerability is particularly relevant for organizations deploying these infotainment units in fleet vehicles or critical transport infrastructure, where unauthorized control could lead to operational disruption or safety risks.

For European organizations, the impact of CVE-2025-63896 could be significant, especially those operating vehicle fleets equipped with the vulnerable JXL 9 Inch Car Android Double Din Player. Successful exploitation could allow attackers to inject arbitrary keystrokes, potentially enabling unauthorized control over the infotainment system and any connected vehicle functions. This could lead to disruption of navigation, communication, or media systems, impacting driver safety and operational efficiency. In worst-case scenarios, if the infotainment system interfaces with vehicle control modules, the attack could escalate to safety-critical impacts. Additionally, attackers might leverage this access to pivot into broader corporate networks if vehicles are connected to enterprise systems. The lack of patches increases exposure, and the Bluetooth attack vector means attackers only need to be in physical proximity, which could be exploited in public or fleet parking areas. Confidentiality risks exist if sensitive information displayed or stored on the device is accessed or manipulated. Overall, the vulnerability threatens the integrity and availability of vehicle infotainment systems, with potential cascading effects on organizational operations and safety.

Given the absence of official patches, European organizations should implement several practical mitigations: 1) Restrict Bluetooth pairing on the affected devices to trusted devices only, disabling automatic or open pairing modes. 2) Employ Bluetooth device whitelisting and enforce strict authentication policies to prevent unauthorized HID devices from connecting. 3) Monitor Bluetooth activity logs for unusual or unexpected device connections and keystroke injection patterns. 4) Physically secure vehicles and infotainment systems to limit attacker proximity and reduce risk of Bluetooth-based attacks. 5) Where possible, disable Bluetooth HID profiles if not required for operational use. 6) Engage with the device vendor to obtain security updates or firmware patches as soon as they become available. 7) Educate drivers and fleet operators about the risks of connecting unknown Bluetooth devices to vehicle systems. 8) Consider network segmentation and isolation of vehicle infotainment systems from critical enterprise networks to limit lateral movement in case of compromise. These targeted steps go beyond generic advice and address the specific Bluetooth HID injection vector.