CVE-2025-63896 is a vulnerability identified in the Bluetooth Human Interface Device (HID) implementation of the JXL 9 Inch Car Android Double Din Player running Android 12.0. The flaw allows an attacker to inject arbitrary keystrokes by spoofing a Bluetooth HID device, effectively impersonating a trusted input device such as a keyboard. This vulnerability stems from improper authentication or validation of connected Bluetooth HID devices (CWE-306), enabling an attacker within Bluetooth range to send malicious input commands without requiring any user interaction or prior authentication. The CVSS 3.1 score of 7.6 reflects a high severity, with an attack vector of adjacent network (Bluetooth), low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality is low since the attacker primarily injects keystrokes rather than directly accessing data. However, the integrity impact is high because arbitrary commands can be executed, potentially altering system settings, launching applications, or manipulating data. Availability impact is low but possible if injected commands disrupt normal device operation. The vulnerability affects the specific JXL 9 Inch Car Android Double Din Player running Android 12.0; no other versions or devices are currently identified as vulnerable. No patches or fixes have been published yet, and no known exploits are reported in the wild. This vulnerability highlights risks in automotive infotainment systems that rely on Bluetooth HID for user input, emphasizing the need for robust device authentication and input validation in such embedded systems.

For European organizations, especially those involved in automotive services, fleet management, or connected vehicle infrastructure, this vulnerability poses a risk of unauthorized control over vehicle infotainment systems. Attackers could inject commands to manipulate navigation, media playback, or potentially escalate attacks to other connected vehicle components if integrated. This could lead to operational disruptions, data integrity issues, or privacy violations. The risk is heightened in environments where vehicles are parked or operated in public or semi-public spaces, allowing attackers to connect via Bluetooth. Although the confidentiality impact is limited, the ability to execute arbitrary commands threatens system integrity and could be leveraged for further attacks. The lack of patches increases exposure duration. Organizations relying on these devices for driver assistance or telematics should consider the threat in their risk assessments and incident response planning.

1. Immediately restrict Bluetooth pairing on affected devices to trusted devices only, disabling automatic or open pairing modes. 2. Implement monitoring for new or unexpected Bluetooth HID devices connecting to vehicle infotainment systems, with alerts for suspicious activity. 3. Educate drivers and fleet operators about the risks of connecting to unknown Bluetooth devices and encourage disabling Bluetooth when not in use. 4. Coordinate with the device vendor or supplier to obtain firmware updates or patches as soon as they become available. 5. Where possible, segment infotainment systems from critical vehicle control networks to limit potential lateral movement. 6. Employ Bluetooth device whitelisting or MAC address filtering if supported by the device. 7. Conduct regular security audits of vehicle infotainment systems and update security policies to include Bluetooth device management. 8. Consider deploying endpoint detection solutions capable of identifying anomalous input injection or device spoofing behaviors.