Researchers discovered two vulnerabilities affecting electric two-wheelers: Zero Motorcycles' Bluetooth firmware update mechanism and Yadea's key fob authentication. The Zero Motorcycles flaw allows an attacker to connect over Bluetooth during a pairing mode that lacks proper authentication, enabling malicious firmware uploads that can manipulate safety-critical vehicle functions. This vulnerability affects firmware version 44 and earlier and is rated medium severity by CISA due to high attack complexity and required proximity. The Yadea T5 scooter vulnerability is a weak authentication issue allowing interception and mathematical synthesis of key fob commands to unlock and start the scooter, rated high severity by CISA. Yadea has not yet issued a patch. Both vulnerabilities pose risks to physical security and rider safety.

Exploitation of the Zero Motorcycles vulnerability can lead to unauthorized firmware installation, allowing attackers to alter throttle control, braking behavior, and battery management, potentially causing unsafe vehicle operation at highway speeds. The Yadea scooter vulnerability enables attackers to unlock and start the scooter without authorization, facilitating theft. Both vulnerabilities require physical proximity to the vehicle and technical knowledge to exploit. No known exploits in the wild have been reported. Zero Motorcycles is preparing a patch, while Yadea has not yet released a fix.

Zero Motorcycles users should pair their motorcycles with their phones in secure, private locations to prevent unauthorized pairing attempts until the vendor releases the planned firmware patch in May. For Yadea T5 scooter owners, no patch is currently available; users should remain vigilant and consider physical security measures to prevent unauthorized access. Monitor vendor advisories for updates on patch releases. No additional mitigation guidance is provided by the vendors at this time.