CVE-2025-63896 Overview
CVE-2025-63896 is a Bluetooth Human Interface Device (HID) authentication weakness in the JXL 9 Inch Car Android Double Din Player running Android v12.0. The infotainment unit accepts HID connections from spoofed Bluetooth devices without enforcing proper authentication. Attackers within Bluetooth range can pair as a rogue keyboard and inject arbitrary keystrokes into the head unit. This allows them to drive the Android interface, launch applications, modify settings, or trigger destructive actions on the vehicle's infotainment system. The flaw is tracked under CWE-306: Missing Authentication for Critical Function.
Critical Impact
A nearby attacker can spoof a Bluetooth HID device and inject keystrokes into the car's Android head unit, compromising integrity of the in-vehicle infotainment system.
Affected Products
- JXL 9 Inch Car Android Double Din Player (hardware)
- JXL 9 Inch Car Android Double Din Player Firmware version 12.0
- Android-based infotainment units shipped by jxlindia using the affected Bluetooth HID stack
Discovery Timeline
- 2025-12-04 - CVE-2025-63896 published to the National Vulnerability Database
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-63896
Vulnerability Analysis
The JXL infotainment unit exposes a Bluetooth HID profile that does not validate the identity of pairing peers. An attacker within adjacent network range can advertise a counterfeit HID device, such as a keyboard or pointer, and bind it to the head unit. Once bound, the spoofed peripheral sends Android key events that the system processes as legitimate user input.
The impact is concentrated on integrity. Keystroke injection lets an attacker navigate the launcher, open arbitrary applications, change vehicle audio and display settings, dismiss safety prompts, or initiate calls. Confidentiality and availability impacts are lower because the channel is one-way input, but secondary effects can include data exposure through opened applications and denial of normal driver interaction.
A public proof of concept is documented in the JXL Infotainment CVE GitHub repository.
Root Cause
The head unit's Bluetooth HID stack omits authentication for connecting HID devices. Pairing relies on assumed trust of the HID profile rather than cryptographic verification of the peer. This is a classic CWE-306 condition: a critical function — accepting input device events — runs without enforcing identity checks.
Attack Vector
Exploitation requires Bluetooth proximity to the vehicle, typically a few meters. The attacker enables Bluetooth on a controllable device, advertises a HID descriptor mimicking a keyboard, and initiates pairing with the JXL head unit. The unit accepts the connection without prompting for confirmation tied to a verified peer. The attacker then transmits HID reports that the Android OS dispatches as key events.
No user interaction is required on the victim side, and no prior credentials are needed. The attack is constrained to Bluetooth radio range, which limits scale but is well within reach of a person in a neighboring vehicle, parking space, or service bay.
Detection Methods for CVE-2025-63896
Indicators of Compromise
- Unexpected Bluetooth HID devices listed in the head unit's paired devices menu
- Android UI actions, application launches, or setting changes occurring without driver input
- Bluetooth pairing events in logcat referencing HID profile bindings from unknown MAC addresses
- Repeated short-range Bluetooth advertisements with HID descriptors near the vehicle
Detection Strategies
- Audit the paired Bluetooth devices list on the head unit and remove any entries that were not deliberately added by the driver
- Monitor Android system logs for BluetoothHidHost connection events and correlate against known driver devices
- Use a Bluetooth spectrum analyzer or hcitool-based scanner during diagnostic sessions to identify rogue HID advertisers in service environments
Monitoring Recommendations
- Enable verbose Bluetooth logging on test fleets to capture HID pairing attempts and peer addresses
- Track sudden navigation events, application launches, or settings changes that occur while the vehicle is stationary and unattended
- For fleet operators, centralize telemetry from infotainment units and alert on new Bluetooth bonds outside service windows
How to Mitigate CVE-2025-63896
Immediate Actions Required
- Disable Bluetooth on the JXL head unit when it is not actively in use, especially while the vehicle is parked in public areas
- Remove all paired Bluetooth devices and re-pair only trusted phones and accessories under controlled conditions
- Avoid pairing new Bluetooth devices in public locations where a rogue advertiser could race the pairing request
- Contact jxlindia support to request firmware guidance, since no vendor advisory is currently listed
Patch Information
At the time of publication, no vendor patch or advisory is available from jxlindia. The only vendor reference is the JXL official website. Owners and integrators should monitor the vendor channel for a firmware update that enforces authenticated HID pairing and consider the device unmitigated until such an update is issued.
Workarounds
- Keep the head unit's Bluetooth radio powered off except during deliberate pairing or use
- Set the Bluetooth adapter to non-discoverable mode after pairing trusted devices
- Park in secured areas to reduce the window for an attacker to operate within Bluetooth range
- For commercial fleets, consider RF-shielded storage or disabling the infotainment Bluetooth stack at the integrator level until a firmware fix is released
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

