Vulnerability:
A vulnerability was identified in the GPS signal processing of the JXL Infotainment System, which relies on standard civilian GPS signals for location determination without performing sufficient validation or authenticity checks on the received data. Due to this lack of verification, an attacker in proximity can transmit forged GPS signals using a Software Defined Radio (SDR) device such as the HackRF One, mimicking legitimate satellite transmissions and overriding genuine signals. As a result, the infotainment system processes these spoofed inputs and computes an incorrect, attacker-controlled static location without detecting anomalies, leading to potential impacts such as inaccurate navigation, unintended geofencing behavior, and misuse of location-based functionalities, all without requiring direct access or authentication.
Impact:
Successful exploitation of this vulnerability allows an attacker to spoof a static GPS location on the JXL Infotainment System, causing the system to consistently display incorrect positioning information. This can lead to inaccurate navigation routes, misleading map data, and unintended behavior in location-based features such as geofencing. As a result, the reliability of navigation and other GPS-dependent functionalities is reduced, which may impact user trust and, in certain scenarios, raise safety concerns.
CVE ID :
CVE-2025-69515
Vendor:
JXL Infotainment
Product:
JXL 9 Inch Car Android Double Din Player
CVSS Score: Base Core: 5.4
CVSS Base Vector:
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Disclosure Timeline:
– 19-02-2026 – CVE ID Reserved
– 08-04-2026 – CVE published
Credit:
Shubham S. Thorat – Payatu Security Consulting Pvt. Ltd.
