{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-61081", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-05-19T18:13:43.105Z", "dateReserved": "2025-09-26T00:00:00.000Z", "datePublished": "2026-05-19T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-05-19T17:32:02.055Z"}, "descriptions": [{"lang": "en", "value": "In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.notion.so/BYD-Atto3-26215fb6156c8000b338db3c2011f637?source=copy_link"}, {"url": "https://www.notion.so/CVE-2025-61081-26215fb6156c8000b338db3c2011f637"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-307", "lang": "en", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts"}]}], "references": [{"url": "https://www.notion.so/BYD-Atto3-26215fb6156c8000b338db3c2011f637?source=copy_link", "tags": ["exploit"]}, {"url": "https://www.notion.so/CVE-2025-61081-26215fb6156c8000b338db3c2011f637", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-05-19T18:11:46.135176Z", "id": "CVE-2025-61081", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-19T18:13:43.105Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-61081", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-19T18:11:46.135176Z"}}}], "references": [{"url": "https://www.notion.so/BYD-Atto3-26215fb6156c8000b338db3c2011f637?source=copy_link", "tags": ["exploit"]}, {"url": "https://www.notion.so/CVE-2025-61081-26215fb6156c8000b338db3c2011f637", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-19T18:11:05.124Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.notion.so/BYD-Atto3-26215fb6156c8000b338db3c2011f637?source=copy_link"}, {"url": "https://www.notion.so/CVE-2025-61081-26215fb6156c8000b338db3c2011f637"}], "descriptions": [{"lang": "en", "value": "In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-05-19T17:32:02.055Z"}}}, "cveMetadata": {"cveId": "CVE-2025-61081", "state": "PUBLISHED", "dateUpdated": "2026-05-19T18:13:43.105Z", "dateReserved": "2025-09-26T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-05-19T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs."}], "id": "CVE-2025-61081", "lastModified": "2026-05-19T19:16:45.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-05-19T18:16:19.767", "references": [{"source": "cve@mitre.org", "url": "https://www.notion.so/BYD-Atto3-26215fb6156c8000b338db3c2011f637?source=copy_link"}, {"source": "cve@mitre.org", "url": "https://www.notion.so/CVE-2025-61081-26215fb6156c8000b338db3c2011f637"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.notion.so/BYD-Atto3-26215fb6156c8000b338db3c2011f637?source=copy_link"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.notion.so/CVE-2025-61081-26215fb6156c8000b338db3c2011f637"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"created": "2026-05-19T18:30:11.301521+00:00", "title": "Unauthorized ECU Flashing via Brute-Forced Authentication Key", "updated": "2026-05-19T18:30:11.301533+00:00", "vendors": [], "weaknesses": ["CWE-307", "CWE-522"]}