Four linked vulnerabilities in OpenSynergy’s Blue SDK allow attackers to take over a vehicle’s infotainment system with a single click. The flaws affect major automotive brands, including Mercedes-Benz, Volkswagen, and Skoda.
The PCA Security Assessment Team discovered the issues while analyzing compiled Blue SDK binaries. They didn’t have source code. They didn’t need it.
The vulnerabilities affect the Bluetooth protocol stack used by many embedded systems in the automotive supply chain. Together, the flaws create a path to remote code execution in the operating system of the affected unit.
Four Vulnerabilities, One Attack Chain
The bugs span two components of the stack: AVRCP and RFCOMM. One is critical.
- CVE-2024-45434 – A Use-After-Free in the AVRCP service. CVSS score: 8.0. This is the entry point.
- CVE-2024-45431 – Weak validation of remote L2CAP channel identifiers. CVSS: 3.5.
- CVE-2024-45433 – Incorrect function termination in RFCOMM. CVSS: 5.7.
- CVE-2024-45432 – Misused parameters in an RFCOMM call. CVSS: 5.7.
On their own, some of these flaws are low to medium risk. But chained together, they allow an attacker to take control after Bluetooth pairing. In some cases, the attacker may not even need pairing. That depends on the OEM’s implementation. Devices using “Just Works” pairing may expose the attack surface without authentication.
Proof of Concept
PCA successfully exploited the chain on production systems:
- Mercedes-Benz NTG6 IVI, confirmed on a test bench.
- Volkswagen ICAS3, used in the ID.4.
- Skoda MIB3, confirmed on a Superb 3.
In each case, the attacker could execute arbitrary code on the target head unit. Lower and upper firmware versions were vulnerable. Patching did not guarantee safety; several patched units remained exploitable, likely due to inconsistent deployments across firmware branches.
PCA also confirmed the vulnerabilities in vehicles from an undisclosed OEM. Their security team had not received the patch through normal channels.
Slow Fix, Long Supply Chain
OpenSynergy responded promptly. First contact came in May 2024. Patches were reportedly available by September. But by June 2025, some OEMs still hadn’t received or deployed them. The vehicle supply chain is large and slow. Subsystems can be inherited across models and years.
The advisory became public on 7 July 2025, after PCA determined some vendors remained unaware of the risk.
“OpenSynergy communicated clearly and handled the disclosure well,” PCA noted. “The delays came downstream.”
The timeline spans more than a year. It includes multiple notifications to OEMs, patch verification, and validation across infotainment platforms.
Affected Vendors
Confirmed affected:
- Mercedes-Benz AG
- Volkswagen Group
- Skoda Auto
- Undisclosed OEM
Others could be affected, too. Blue SDK is licensed by the Bluetooth SIG and used across industries. PCA relied on public Bluetooth certification data to trace deployment. The list is not exhaustive.
Technical Summary
The chain starts with CVE-2024-45434, a Use-After-Free in AVRCP. The Bluetooth stack accesses memory after it’s been freed. The attacker exploits this during device interaction to gain initial execution.
The other bugs allow manipulation of internal state and control flow. Incorrect parameter use and poor function termination create unstable ground. An attacker walks the chain to stable code execution.
What Developers Need to Know
Security level settings matter. Blue SDK gives implementers control over Bluetooth profile authentication. Weak or misconfigured setups may expose the system even before pairing. “Just Works” mode is one example.
The risk is tied not only to Blue SDK itself but how it’s embedded. A weak configuration in one layer can expose otherwise gated vulnerabilities.
What Comes Next
The patch is available. The advisory is public. But millions of vehicles may still be running vulnerable code. In modern vehicles, infotainment is no longer isolated. Bluetooth can be an entry point. A foothold.
The lesson: reverse engineering reveals what supply chains often obscure. A small mistake. A slow fix. A wide attack surface.
PerfektBlue is one click. That’s all it takes.
A Major Concern
Emilio Pinna, director at SecureFlag, said: ”The PerfektBlue vulnerabilities found in OpenSynergy’s BlueSDK Bluetooth stack highlight one of the many blind spots in automotive technologies. These flaws, which affect major car brands like Mercedes-Benz, Volkswagen, and Skoda, can be exploited to remotely run code on a vehicle’s systems, possibly gaining access to critical functions. The attack can be delivered wirelessly and may require just a single click from the user. OpenSynergy released patches back in September 2024, but many automakers still haven’t rolled out the updates. Some weren’t even aware of the issue until recently. That’s a major concern.
Pinna added that if a hacker can exploit your car just because your phone’s Bluetooth is on, that’s a problem that needs fixing immediately. :Beyond patching, this incident is a wake-up call for how we train automotive developers and design connected systems. Developers working on embedded systems need specific training in secure design principles and up-to-date threat modeling practices.”
He said, consumer radio interfaces in vehicles, such as Bluetooth and Wi-Fi, are primary targets. “The industry needs to invest in building developer awareness early in the product lifecycle: threat modeling should be a core part of development, and training programmes must evolve to cover emerging attack vectors. Building secure cars starts with building security-minded engineers.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.