Researchers at PCA Cyber Security have uncovered a set of critical vulnerabilities, collectively named PerfektBlue, in the OpenSynergy BlueSDK Bluetooth stack. Exploiting these flaws could enable remote code execution (RCE) in millions of vehicles, potentially allowing attackers to remotely compromise automotive systems.
OpenSynergy’s BlueSDK is a widely used Bluetooth implementation in the automotive sector, supporting both Bluetooth Classic and Low Energy modes. Its hardware-agnostic design and support for standard Bluetooth profiles make it highly adaptable. As a framework, BlueSDK can be modified by vendors to suit specific system needs—a flexibility that also introduces security variability and potential weaknesses.
The PerfektBlue attack chains together multiple Bluetooth vulnerabilities to compromise a vehicle’s infotainment system. An attacker could use it to track vehicle locations, record audio, and access phonebook data. Theoretically, this access could also allow lateral movement into critical vehicle functions, such as steering or windshield wipers, though researchers did not demonstrate this capability.
According to PCA’s advisory:
“The only prerequisite for a PerfektBlue attack is pairing with the target device at a sufficient security level. However, since BlueSDK is a framework, pairing implementations vary—some may allow unlimited pairing requests, some require user interaction, and others may have pairing disabled entirely. In practice, PerfektBlue requires at most one click from a user to execute an over-the-air attack.”
BlueSDK is integrated into many vehicles, notably from manufacturers such as Mercedes-Benz, Volkswagen, and Skoda. While these vulnerabilities primarily impact the automotive sector, other Bluetooth-enabled products using BlueSDK could also be at risk. Users are advised to update affected systems or disable Bluetooth where feasible.
The List of Identified vulnerabilities are:
Description: Use-After-Free in AVRCP service
CVSS 3.1 Score: 8.0 (Critical)
Description: Improper validation of an L2CAP channel’s remote CID
CVSS 3.1 Score: 3.5 (Low)
Description: Incorrect function termination in RFCOMM
CVSS 3.1 Score: 5.7 (Medium)
Description: Function call with incorrect parameter in RFCOMM
CVSS 3.1 Score: 5.7 (Medium)
Researchers demonstrated proof-of-concept exploits on:
- Mercedes-Benz NTG6 head unit
- Volkswagen MEB ICAS3 head unit
- Skoda MIB3 head unit
“PCA identified multiple vulnerabilities of varying severity, which together allow an attacker to achieve 1-click RCE on systems using the BlueSDK stack. With this level of access, an attacker could manipulate the operating system, escalate privileges, and potentially pivot to other critical vehicle components.”
Notably, while the vulnerabilities were confirmed on test devices after pairing, PCA cautioned that due to implementation differences, some devices might be vulnerable even prior to pairing, particularly if configured with insecure security profiles or using “Just Works” pairing mode.
Patches addressing the issue were rolled out in September 2024, following responsible disclosure in May 2024.
- May 17, 2024: PCA reported the flaws to OpenSynergy.
- July 15, 2024: OpenSynergy acknowledged the issues and began patch development, completing fixes by September 2024.
- March 2025: PCA began responsible disclosure by sharing the advisory website with OpenSynergy for review.
- Early June 2025: PCA confirmed that the vulnerabilities affected several vehicle models from an undisclosed OEM and notified their security team.
- June 10, 2025: PCA informed OpenSynergy of its intent to publish the advisory on July 2, allowing time for coordinated disclosure.
- June 23, 2025: The affected OEM indicated they had not received official notification or patches via their supply chain.
- July 7, 2025: PCA publicly released the advisory.
The goal of this disclosure was to raise awareness of the PerfektBlue attack chain among OEMs, suppliers, and end-users, prompting timely remediation efforts and improved security across the automotive ecosystem.
Read the complete PCA report HERE
PCA Cyber Security, founded in 2019 and formerly known as PCAutomotive, specializes in securing embedded devices through penetration testing, threat intelligence, and continuous cybersecurity monitoring. Headquartered in Budapest, PCA specialists continuously develop and refine protocols to counter the most sophisticated threats.
