Skip to main content
CVE Vulnerability Database

CVE-2025-8653: Kenwood DMX958XR Firmware RCE Vulnerability

CVE-2025-8653 is a stack-based buffer overflow RCE vulnerability in Kenwood DMX958XR firmware that enables network-adjacent attackers to execute code as root. This article covers technical details, affected systems, and mitigation.

Published:

CVE-2025-8653 Overview

CVE-2025-8653 is a stack-based buffer overflow [CWE-121] in the JKRadioService component of the Kenwood DMX958XR in-vehicle infotainment system. The flaw allows network-adjacent attackers to execute arbitrary code as root without authentication. The vulnerability stems from missing length validation on user-supplied data before it is copied into a fixed-length stack buffer.

The Zero Day Initiative tracks this issue as ZDI-CAN-26312 and published advisory ZDI-25-801. The DMX958XR firmware version 1.0.0509.3100 is confirmed affected.

Critical Impact

An adjacent network attacker can achieve unauthenticated remote code execution as root on the head unit, gaining full control of the vehicle infotainment platform.

Affected Products

  • Kenwood DMX958XR hardware (all units running vulnerable firmware)
  • JVCKenwood DMX958XR firmware version 1.0.0509.3100
  • JKRadioService component on the DMX958XR platform

Discovery Timeline

  • 2025-08-06 - CVE-2025-8653 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8653

Vulnerability Analysis

The vulnerability resides in the JKRadioService process running on the Kenwood DMX958XR. This service handles radio-related functionality on the head unit and processes input received over an adjacent network interface, such as Wi-Fi or Bluetooth-bridged transports exposed by the device.

When JKRadioService receives a request containing attacker-controlled data, it copies that data into a fixed-size buffer allocated on the stack. Because the service does not validate the length of the supplied input prior to the copy, an oversized payload overflows the buffer and overwrites adjacent stack memory, including the saved return address.

Successful exploitation grants code execution in the context of root, the highest privilege level on the embedded Linux-based head unit. From this position, an attacker can pivot to the vehicle's CAN bus interfaces, exfiltrate paired device data, or persist across reboots through firmware modification.

Root Cause

The root cause is classic [CWE-121] Stack-based Buffer Overflow. The JKRadioService uses unsafe memory copy operations without enforcing a destination buffer size. Input arriving from the network path is trusted implicitly, with no bounds check between the source length and the stack buffer capacity.

Attack Vector

The attack vector is Adjacent Network (AV:A). The attacker must be on the same logical network segment as the head unit, typically reachable through the vehicle's Wi-Fi hotspot, a tethered hotspot, or a paired Bluetooth-to-IP bridge. No authentication or user interaction is required. The EPSS score is 0.406% at the 32.4 percentile.

No public proof-of-concept code or in-the-wild exploitation has been reported for CVE-2025-8653. Refer to the Zero Day Initiative Advisory ZDI-25-801 for additional technical context.

Detection Methods for CVE-2025-8653

Indicators of Compromise

  • Unexpected crashes or restarts of the JKRadioService process recorded in head unit diagnostic logs.
  • Anomalous outbound network connections originating from the DMX958XR to attacker-controlled hosts.
  • Unrecognized processes or modified binaries on the head unit filesystem after a service interaction over Wi-Fi.
  • Unsolicited inbound traffic targeting JKRadioService ports from devices on the vehicle Wi-Fi network.

Detection Strategies

  • Monitor wireless network segments shared with the head unit for malformed or oversized packets directed at radio service ports.
  • Capture and inspect traffic between paired mobile devices and the DMX958XR for protocol anomalies.
  • Review vendor-provided diagnostic logs from the infotainment unit for repeated JKRadioService segmentation faults.

Monitoring Recommendations

  • Restrict and audit who connects to the vehicle Wi-Fi hotspot, and treat unknown clients as untrusted.
  • Where fleet telematics support it, alert on infotainment service crash signatures forwarded to back-end systems.
  • Track JVCKenwood firmware advisories for the DMX958XR product line and reconcile installed versions against the latest release.

How to Mitigate CVE-2025-8653

Immediate Actions Required

  • Disable the DMX958XR Wi-Fi hotspot and other network-facing features until a vendor patch is applied.
  • Avoid pairing untrusted mobile devices with the head unit, since adjacent-network access is the prerequisite for exploitation.
  • Inventory affected vehicles and units running firmware 1.0.0509.3100 and prioritize them for service appointments.

Patch Information

At the time of publication, no vendor advisory or firmware update has been linked from the NVD record. Monitor JVCKenwood support channels and the Zero Day Initiative Advisory ZDI-25-801 for patch availability and update the DMX958XR firmware through the official JVCKenwood update tool once a fix is released.

Workarounds

  • Keep the head unit's wireless interfaces disabled when not actively required for navigation or media casting.
  • Use a wired USB connection in place of Wi-Fi for media and smartphone integration where feasible.
  • Segment any tethered hotspot used with the vehicle so untrusted clients cannot reach the head unit directly.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.