← Back to CVEs
CVE-2026-1354
MEDIUM6.4
Description
Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bluetooth. Once paired, an attacker can utilize over-the-air firmware updating functionality to potentially upload malicious firmware to the motorcycle. The motorcycle must first be in Bluetooth pairing mode, and the attacker must be in proximity of the vehicle and understand the full pairing process, to be able to pair their device with the vehicle. The attacker's device must remain paired with and in proximity of the motorcycle for the entire duration of the firmware update.
CVE Details
CVSS v3.1 Score6.4
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack VectorADJACENT_NETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionREQUIRED
Published4/21/2026
Last Modified4/22/2026
Sourcenvd
Honeypot Sightings0
Weaknesses (CWE)
CWE-322
References
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-06.json(ics-cert@hq.dhs.gov)
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-06(ics-cert@hq.dhs.gov)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.