Skip to main content
CVE Vulnerability Database

CVE-2025-8654: Kenwood DMX958XR Firmware RCE Vulnerability

CVE-2025-8654 is a command injection RCE vulnerability in Kenwood DMX958XR firmware that allows network-adjacent attackers to execute arbitrary code as root. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-8654 Overview

CVE-2025-8654 is a command injection vulnerability in the Kenwood DMX958XR in-vehicle infotainment system. The flaw resides in the ReadMVGImage function, which fails to validate user-supplied strings before passing them to a system call. Network-adjacent attackers can exploit this issue without authentication to execute arbitrary code as root. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26313 and is tracked as [CWE-78] OS Command Injection.

Critical Impact

Unauthenticated attackers within range of the device can achieve root-level remote code execution on affected Kenwood DMX958XR head units.

Affected Products

  • JVCKenwood DMX958XR head unit (hardware)
  • JVCKenwood DMX958XR firmware version 1.0.0509.3100
  • Vehicles equipped with the affected DMX958XR infotainment system

Discovery Timeline

  • 2025-08-06 - CVE-2025-8654 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8654

Vulnerability Analysis

The vulnerability exists in the ReadMVGImage function within the DMX958XR firmware. This function processes Magick Vector Graphics (MVG) image input and constructs a system command using attacker-controlled data. Because the function lacks proper sanitization of user-supplied strings, an attacker can inject shell metacharacters into the executed command.

The issue is reachable over an adjacent network without authentication. Successful exploitation grants code execution in the context of root, the highest privilege level on the embedded Linux system powering the head unit. An attacker can read sensitive data, alter vehicle infotainment behavior, and pivot to other connected components.

The Zero Day Initiative tracked the finding internally as ZDI-CAN-26313 before publishing advisory ZDI-25-802.

Root Cause

The root cause is missing input validation in ReadMVGImage. User-supplied content is concatenated into a command string and passed to a system shell. Shell metacharacters such as ;, |, &, and backticks are not filtered or escaped, allowing arbitrary command execution. This pattern is classified under [CWE-78]: Improper Neutralization of Special Elements used in an OS Command.

Attack Vector

Exploitation requires network adjacency to the DMX958XR, typically Wi-Fi or Bluetooth pairing range. The attacker delivers a crafted MVG image to the parsing routine without supplying credentials. The embedded shell metacharacters execute as root once the device processes the file, yielding full control over the infotainment platform.

No verified public proof-of-concept exploit code is available. Technical details are described in the Zero Day Initiative Advisory ZDI-25-802.

Detection Methods for CVE-2025-8654

Indicators of Compromise

  • Unexpected outbound network connections originating from the DMX958XR head unit
  • Presence of MVG image files containing shell metacharacters (;, |, backticks) in command parameters
  • Unauthorized processes running as root on the infotainment system
  • Anomalous Wi-Fi or Bluetooth pairing attempts from unknown devices in proximity to the vehicle

Detection Strategies

  • Inspect firmware logs for invocations of ReadMVGImage with malformed or oversized input strings
  • Monitor for shell command execution patterns originating from image-parsing routines
  • Capture and analyze wireless traffic between client devices and the head unit for crafted MVG payloads

Monitoring Recommendations

  • Audit pairing logs and connection history on the DMX958XR for unrecognized devices
  • Track firmware integrity using vendor-supplied checksums after each service interaction
  • Where vehicle telematics platforms permit, forward head-unit logs to a centralized monitoring system for review

How to Mitigate CVE-2025-8654

Immediate Actions Required

  • Apply the latest firmware update from JVCKenwood as soon as it is available for the DMX958XR
  • Disable Wi-Fi hotspot and Bluetooth pairing on the head unit when not in active use
  • Remove pairings for unknown or untrusted devices from the infotainment system
  • Avoid loading media files from untrusted sources, including USB drives and shared wireless connections

Patch Information

At the time of publication, no vendor advisory URL is listed in the NVD entry. Owners should monitor the JVCKenwood support site and the Zero Day Initiative Advisory ZDI-25-802 for firmware release information. Affected firmware version 1.0.0509.3100 should be upgraded to any newer release that addresses the ReadMVGImage input validation flaw.

Workarounds

  • Keep the head unit's wireless interfaces disabled in public or high-traffic areas to limit adjacent-network exposure
  • Restrict device pairing to trusted personal devices only
  • Do not import MVG or other vector image files from unknown sources into the infotainment system

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.