Back to KEVs

CVE-2023-29389

Toyota RAV4 2021 vehicles automatically trust messages from other ECUs on a CAN bus, which allows physically proximate attackers to drive a vehicle...

Basic Information

CVE State: PUBLISHED
Reserved Date: April 05, 2023
Published Date: April 05, 2023
Last Updated: February 12, 2025
Vendor: n/a
Product: n/a
Description: Toyota RAV4 2021 vehicles automatically trust messages from other ECUs on a CAN bus, which allows physically proximate attackers to drive a vehicle by accessing the control CAN bus after pulling the bumper away and reaching the headlight connector, and then sending forged "Key is validated" messages via CAN Injection, as exploited in the wild in (for example) July 2022.

CVSS Scores

CVSS v3.1

6.8 - MEDIUM

Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: none
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2023-04-05 00:00:00 UTC) Source

References

https://kentindell.github.io/2023/04/03/can-injection/ https://news.ycombinator.com/item?id=35452963

Known Exploited Vulnerability Information

Source	Added Date
CVE	2023-04-05 00:00:00 UTC

Timeline

CVE ID Reserved

April 05, 2023
CVE Published to Public

April 05, 2023
Added to KEVIntel

April 05, 2023