Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-63896

CVE-2025-63896: JXL Car Android Player RCE Vulnerability

CVE-2025-63896 is an RCE flaw in JXL 9 Inch Car Android Double Din Player that allows attackers to inject keystrokes via spoofed Bluetooth HID devices. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-63896 Overview

CVE-2025-63896 is a Bluetooth Human Interface Device (HID) authentication weakness in the JXL 9 Inch Car Android Double Din Player running Android v12.0. The infotainment unit accepts HID connections from spoofed Bluetooth devices without enforcing proper authentication. Attackers within Bluetooth range can pair as a rogue keyboard and inject arbitrary keystrokes into the head unit. This allows them to drive the Android interface, launch applications, modify settings, or trigger destructive actions on the vehicle's infotainment system. The flaw is tracked under CWE-306: Missing Authentication for Critical Function.

Critical Impact

A nearby attacker can spoof a Bluetooth HID device and inject keystrokes into the car's Android head unit, compromising integrity of the in-vehicle infotainment system.

Affected Products

  • JXL 9 Inch Car Android Double Din Player (hardware)
  • JXL 9 Inch Car Android Double Din Player Firmware version 12.0
  • Android-based infotainment units shipped by jxlindia using the affected Bluetooth HID stack

Discovery Timeline

  • 2025-12-04 - CVE-2025-63896 published to the National Vulnerability Database
  • 2026-01-22 - Last updated in NVD database

Technical Details for CVE-2025-63896

Vulnerability Analysis

The JXL infotainment unit exposes a Bluetooth HID profile that does not validate the identity of pairing peers. An attacker within adjacent network range can advertise a counterfeit HID device, such as a keyboard or pointer, and bind it to the head unit. Once bound, the spoofed peripheral sends Android key events that the system processes as legitimate user input.

The impact is concentrated on integrity. Keystroke injection lets an attacker navigate the launcher, open arbitrary applications, change vehicle audio and display settings, dismiss safety prompts, or initiate calls. Confidentiality and availability impacts are lower because the channel is one-way input, but secondary effects can include data exposure through opened applications and denial of normal driver interaction.

A public proof of concept is documented in the JXL Infotainment CVE GitHub repository.

Root Cause

The head unit's Bluetooth HID stack omits authentication for connecting HID devices. Pairing relies on assumed trust of the HID profile rather than cryptographic verification of the peer. This is a classic CWE-306 condition: a critical function — accepting input device events — runs without enforcing identity checks.

Attack Vector

Exploitation requires Bluetooth proximity to the vehicle, typically a few meters. The attacker enables Bluetooth on a controllable device, advertises a HID descriptor mimicking a keyboard, and initiates pairing with the JXL head unit. The unit accepts the connection without prompting for confirmation tied to a verified peer. The attacker then transmits HID reports that the Android OS dispatches as key events.

No user interaction is required on the victim side, and no prior credentials are needed. The attack is constrained to Bluetooth radio range, which limits scale but is well within reach of a person in a neighboring vehicle, parking space, or service bay.

Detection Methods for CVE-2025-63896

Indicators of Compromise

  • Unexpected Bluetooth HID devices listed in the head unit's paired devices menu
  • Android UI actions, application launches, or setting changes occurring without driver input
  • Bluetooth pairing events in logcat referencing HID profile bindings from unknown MAC addresses
  • Repeated short-range Bluetooth advertisements with HID descriptors near the vehicle

Detection Strategies

  • Audit the paired Bluetooth devices list on the head unit and remove any entries that were not deliberately added by the driver
  • Monitor Android system logs for BluetoothHidHost connection events and correlate against known driver devices
  • Use a Bluetooth spectrum analyzer or hcitool-based scanner during diagnostic sessions to identify rogue HID advertisers in service environments

Monitoring Recommendations

  • Enable verbose Bluetooth logging on test fleets to capture HID pairing attempts and peer addresses
  • Track sudden navigation events, application launches, or settings changes that occur while the vehicle is stationary and unattended
  • For fleet operators, centralize telemetry from infotainment units and alert on new Bluetooth bonds outside service windows

How to Mitigate CVE-2025-63896

Immediate Actions Required

  • Disable Bluetooth on the JXL head unit when it is not actively in use, especially while the vehicle is parked in public areas
  • Remove all paired Bluetooth devices and re-pair only trusted phones and accessories under controlled conditions
  • Avoid pairing new Bluetooth devices in public locations where a rogue advertiser could race the pairing request
  • Contact jxlindia support to request firmware guidance, since no vendor advisory is currently listed

Patch Information

At the time of publication, no vendor patch or advisory is available from jxlindia. The only vendor reference is the JXL official website. Owners and integrators should monitor the vendor channel for a firmware update that enforces authenticated HID pairing and consider the device unmitigated until such an update is issued.

Workarounds

  • Keep the head unit's Bluetooth radio powered off except during deliberate pairing or use
  • Set the Bluetooth adapter to non-discoverable mode after pairing trusted devices
  • Park in secured areas to reduce the window for an attacker to operate within Bluetooth range
  • For commercial fleets, consider RF-shielded storage or disabling the infotainment Bluetooth stack at the integrator level until a firmware fix is released

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.