At the Security Analyst Summit 2025, Kaspersky unveiled a startling discovery: a critical flaw in the telematics system of a major car manufacturer that could allow attackers to gain remote control over connected vehicles, endangering both drivers and passengers.
The security audit revealed that by exploiting a zero-day vulnerability in a contractor’s publicly accessible web application, cyber researchers could penetrate the automaker’s telematics infrastructure. The vulnerability enabled unauthorized access to internal systems — making it possible to remotely shift gears or even turn off a car’s engine while in motion.
“One weak link in a contractor’s infrastructure can compromise the safety of millions on the road.”
— Artem Zinenko, Kaspersky
According to Kaspersky, the breach originated from a SQL injection in a wiki application used by the manufacturer’s contractor. The flaw exposed user credentials, some cracked due to weak passwords, leading to the contractor’s issue-tracking system that contained configuration details and access credentials for the automaker’s telematics servers.
Once inside the connected vehicle environment, Kaspersky identified misconfigured firewalls and unsecured credentials that opened the door to the telematics control unit (TCU). From there, attackers could upload modified firmware, gaining access to the vehicle’s Controller Area Network (CAN) bus — a system that controls crucial functions such as the engine, transmission, and sensors.
“The automotive industry must treat cybersecurity as an integral part of vehicle safety,” said Artem Zinenko, Head of Kaspersky ICS CERT Vulnerability Research and Assessment. “Weak passwords, lack of 2FA, and unencrypted data are recurring issues that must be urgently addressed to prevent large-scale compromise.”
Kaspersky recommends a set of urgent countermeasures: isolating internet-facing services, enforcing strict password and 2FA policies, encrypting sensitive data, and integrating continuous monitoring via SIEM systems. For manufacturers, securing telematics systems through network segmentation, command authentication, and privilege minimization is vital.
The findings serve as a critical reminder that as vehicles become smarter, they also become more vulnerable — demanding a cybersecurity framework that protects not just data, but lives.
