CVE-2025-7020 is a vulnerability identified in BYD's DiLink 3.0 operating system, specifically affecting the system log dump feature on the In-Vehicle Infotainment (IVI) unit of vehicles such as the BYD ATTO3 model. The vulnerability stems from an incorrect encryption implementation introduced in a patch that was originally intended to fix a previous vulnerability (CVE-2024-54728). This flaw allows an attacker with physical access to the vehicle to bypass the encryption protecting the system log dumps stored on the IVI unit's storage. Consequently, the attacker can access and read sensitive system logs that may contain personally identifiable information (PII) and location data. The vulnerability is classified under CWE-656, which relates to incorrect encryption implementation, indicating that the cryptographic protections are either improperly applied or flawed, undermining the confidentiality of stored data. The CVSS 4.0 base score is 5.1 (medium severity), reflecting that the attack vector requires physical access (AV:P), no privileges or user interaction are needed, but the vulnerability impacts the confidentiality of sensitive information with high impact (VC:H). The scope is limited to the affected IVI unit, and no known exploits are currently reported in the wild. The affected version is 13.1.32.2307211.1 of DiLink OS. This vulnerability highlights the risks associated with cryptographic errors in automotive systems, particularly those that handle sensitive user data and vehicle telemetry.

For European organizations, especially those involved in automotive manufacturing, fleet management, or vehicle leasing, this vulnerability poses a significant privacy and security risk. The ability to extract sensitive PII and location data from vehicle logs can lead to privacy violations, unauthorized tracking, and potential exposure of user behavior patterns. This could result in regulatory non-compliance under GDPR, leading to legal and financial penalties. Additionally, the breach of sensitive vehicle data could undermine customer trust and brand reputation. For companies operating connected vehicle services or telematics platforms, compromised data integrity and confidentiality could disrupt business operations and expose them to further targeted attacks. The requirement for physical access limits remote exploitation but raises concerns for scenarios such as vehicle theft, unauthorized maintenance, or insider threats. The vulnerability also underscores the importance of secure cryptographic implementations in automotive embedded systems, which are increasingly targeted by threat actors.

To mitigate this vulnerability, European organizations and vehicle owners should ensure that all affected BYD DiLink OS units are updated to a patched version once BYD releases a fix addressing CVE-2025-7020. Until a patch is available, physical security controls should be enhanced to prevent unauthorized access to vehicles, including secure parking, alarm systems, and monitoring. Organizations managing fleets should implement strict access controls and audit procedures for vehicle handling and maintenance. Additionally, it is advisable to perform regular security assessments of IVI systems and related components to detect unauthorized access or tampering. From a development perspective, BYD and other automotive OS vendors should adopt rigorous cryptographic code reviews, employ standardized and vetted encryption libraries, and conduct thorough testing of patches to avoid regression vulnerabilities. Finally, organizations should consider encrypting sensitive data at rest with hardware-backed security modules and implement secure boot and firmware integrity checks to prevent unauthorized modifications.