Vulnerability
A vulnerability was identified in the Bluetooth Human Interface Device (HID) handling mechanism of the infotainment system running Android v12.0. The BLE stack and input processing components accept peripheral devices with insufficient verification, allowing a spoofed HID device to be recognized as a legitimate input source. As a result, the system may process unsolicited keystroke inputs originating from external, non-trusted wireless devices. This behavior exposes the infotainment unit to unauthorized interaction through its BLE Interface.
Impact
Successful exploitation allows an attacker within Bluetooth range to inject unauthorized keystrokes into the infotainment system. This can lead to unintended menu navigation, application launches, setting modifications, and interaction with system features without user consent. Although it does not directly affect other vehicle ECUs, it poses a significant risk by enabling remote manipulation of infotainment functions.
CVE ID
CVE-2025-63896
Vendor
JXL Infotainment
Product
JXL 9 Inch Car Android Double Din Player
CVSS Score:
Base Core:7.6
CVSS Base Vector: AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Disclosure Timeline
– 23-09-2025 -Reported to Vendor
– 20-11-2025 – CVE ID Reserved
– 05-12-2025 – CVE published
Credits
Shubham S. Thorat – Payatu Security Consulting Pvt. Ltd.
