CVE-2025-70994: Yadea T5 Auth Bypass Vulnerability

CVE-2025-70994 Overview

Yadea T5 Electric Bicycles (models manufactured in/after 2024) contain a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This vulnerability enables signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.

Critical Impact

Attackers within adjacent network range can intercept key fob signals and replay them to gain unauthorized access and control of the electric bicycle, potentially leading to vehicle theft or tampering.

Affected Products

• Yadea T5 Electric Bicycles (models manufactured in 2024 and later)
• Yadea T5 keyless entry systems using EV1527 fixed-code RF protocol
• Key fob communication modules without rolling code implementation

Discovery Timeline

• 2026-04-23 - CVE CVE-2025-70994 published to NVD
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-70994

Vulnerability Analysis

This vulnerability is classified under CWE-1390 (Weak Authentication), representing a fundamental security design flaw in the Yadea T5 electric bicycle keyless entry system. The weakness stems from the implementation of the EV1527 fixed-code RF protocol, which transmits static authentication codes that remain unchanged between uses.

The EV1527 is a one-way encoder chip commonly used in low-cost remote control applications. While suitable for non-security-critical applications, its fixed-code nature makes it inherently unsuitable for vehicle access control systems. Each key fob transmission contains the same code sequence, making the system trivially vulnerable to replay attacks once an attacker captures a single legitimate transmission.

Root Cause

The root cause of this vulnerability lies in the absence of modern cryptographic protections in the keyless entry system design. Specifically:

The system lacks rolling codes (also known as hopping codes), which would generate a new code sequence for each transmission based on a synchronized counter between the key fob and the vehicle's receiver.

There is no cryptographic challenge-response mechanism, which would require the key fob to prove knowledge of a shared secret without transmitting the secret itself.

The EV1527 protocol transmits codes in plaintext over RF frequencies (typically 315MHz or 433MHz), allowing any attacker with appropriate SDR (Software Defined Radio) equipment to capture and replay the signals.

Attack Vector

The attack requires the adversary to be within adjacent network (RF) range of the legitimate key fob during a transmission event. The attack sequence proceeds as follows:

1. The attacker positions themselves within RF reception range of the target vehicle owner's key fob
2. Using an SDR device or dedicated RF capture tool, the attacker records the RF signal when the owner locks/unlocks the bicycle
3. The captured signal contains the fixed authentication code transmitted by the EV1527-based key fob
4. At a later time, the attacker returns to the vehicle and replays the captured signal using an RF transmitter
5. The vehicle's receiver accepts the replayed signal as legitimate, granting full access and operational control

Technical details and proof-of-concept tooling can be found in the CVE-2025-70994 PoC Repository and the Ghost Keys project.

Detection Methods for CVE-2025-70994

Indicators of Compromise

• Unexpected unlocking or activation of the electric bicycle without owner initiation
• Discovery of unknown devices operating near the vehicle during key fob usage
• Reports of vehicle access at times when the legitimate owner was not present
• Presence of SDR equipment or RF replay devices in the vicinity of parking areas

Detection Strategies

• Monitor for unusual RF activity in the 315MHz or 433MHz frequency bands near parking facilities
• Implement RF spectrum analysis to detect signal capture attempts or replay transmissions
• Deploy physical security cameras in parking areas to correlate unauthorized vehicle access with suspicious individuals
• Conduct periodic security assessments of keyless entry systems for fixed-code vulnerabilities

Monitoring Recommendations

• Establish baseline RF environment profiles for vehicle storage locations
• Implement anomaly detection for multiple rapid RF transmissions that may indicate replay attempts
• Coordinate with facility security to monitor for individuals using electronic devices suspiciously near parked vehicles
• Document and track any unauthorized vehicle access incidents for pattern analysis

How to Mitigate CVE-2025-70994

Immediate Actions Required

• Contact Yadea support to inquire about firmware or hardware upgrades that implement rolling codes
• Consider using additional physical security measures such as secondary locks or chains
• Avoid using the keyless entry system in public or high-risk areas where RF interception is more likely
• Store the key fob in an RF-shielding pouch when not in use to prevent unintended transmissions

Patch Information

No vendor patch information is currently available for this vulnerability. Vehicle owners should monitor Yadea's official channels for security updates. The vulnerability requires a fundamental redesign of the keyless entry system to implement cryptographically secure authentication mechanisms such as rolling codes or challenge-response protocols.

Additional technical information is available at the CVE-2025-70994 PoC Repository.

Workarounds

• Disable the keyless entry feature if possible and use manual key-based access mechanisms
• Implement supplementary physical security measures including disc locks, chain locks, or GPS tracking devices
• Store the electric bicycle in secured, access-controlled locations when not in use
• Use RF-blocking storage for the key fob to prevent inadvertent signal capture
• Consider aftermarket alarm systems that provide independent tamper detection