CVE-2025-7020 is a vulnerability classified under CWE-656 (Incorrect Encryption Implementation) affecting BYD's DiLink 3.0 OS, specifically version 13.1.32.2307211.1, used in vehicles such as the BYD ATTO3. The flaw resides in the system log dump feature of the In-Vehicle Infotainment (IVI) unit's storage. An attacker with physical access to the vehicle can exploit this vulnerability to bypass the encryption protecting system log dumps. These logs contain sensitive information including personally identifiable information (PII) and location data. The vulnerability was introduced inadvertently by a patch meant to fix a previous vulnerability (CVE-2024-54728). The CVSS v4.0 score is 5.1 (medium severity), reflecting that the attack vector requires physical access (AV:P), no privileges or user interaction are needed, but the vulnerability compromises the confidentiality of highly sensitive data (VC:H). The vulnerability does not affect integrity or availability, and the scope is limited to the IVI unit's storage. No known exploits are currently in the wild. The vulnerability highlights a critical weakness in the cryptographic implementation of the log dump encryption, allowing attackers to access sensitive vehicle data that could be used for tracking, profiling, or further attacks.

For European organizations, especially those involved in fleet management, automotive services, or connected vehicle infrastructure, this vulnerability poses a significant privacy and security risk. The exposure of PII and location data can lead to privacy violations under GDPR regulations, resulting in legal and financial repercussions. Additionally, attackers gaining access to system logs could leverage this information for targeted attacks or surveillance. The requirement for physical access limits remote exploitation but does not eliminate risk in scenarios such as vehicle servicing, rentals, or theft. The compromise of vehicle data integrity could undermine consumer trust in BYD vehicles and connected automotive services in Europe. Furthermore, organizations relying on BYD vehicles for logistics or transportation could face operational risks if sensitive data is leaked or misused.

Specific mitigations include: 1) Immediate update to a patched version of DiLink OS once BYD releases a fix addressing the encryption flaw. 2) Implement strict physical security controls to prevent unauthorized access to vehicles, including secure parking and key management. 3) Employ additional encryption or data protection layers at the storage level if possible, such as hardware-based encryption modules. 4) Conduct regular audits of vehicle logs and access attempts to detect suspicious activity. 5) For fleet operators, establish protocols for secure handling and servicing of vehicles to minimize risk of physical tampering. 6) Engage with BYD and automotive cybersecurity vendors to monitor for updates and potential exploit developments. 7) Consider data minimization strategies in log generation to reduce sensitive data exposure. These measures go beyond generic advice by focusing on physical security, layered encryption, and operational controls tailored to the automotive context.