A medium-severity vulnerability (CVE-2026-1354, CVSS 6.4) in Zero Motorcycles firmware version 44 and earlier allows an attacker within Bluetooth range to gain unauthorized access to all Bluetooth functions and upload malicious firmware, potentially manipulating safety-critical vehicle features. A patch is expected in May. Separately, a high-severity vulnerability (CVE-2025-70994, CVSS 7.3) in Yadea T5 electric scooters allows an attacker to intercept and replay key fob transmissions to unlock or start the scooter, for which no patch is currently available.
IoT , Vulnerability Management Vulnerabilities found in Zero Motorcycles and Yadea scooters April 29, 2026 Share By SC Staff (Adobe Stock) Electric motorcycles from Zero Motorcycles and electric scooters from Yadea are affected by vulnerabilities that, if exploited, could have a physical security and safety impact, according to a recent report by Security Week, citing recent CISA advisories. US-based Zero Motorcycles is affected by a medium severity vulnerability (CVE-2026-1354) in firmware version 44 and earlier. An attacker within Bluetooth range could gain unauthorized access to all Bluetooth functions and upload malicious firmware. This could allow manipulation of safety-critical features like torque output, regenerative braking, and battery management, potentially affecting vehicle behavior at high speeds. A patch is expected in May. Separately, the Yadea T5 electric scooter has a high severity vulnerability (CVE-2025-70994) due to weak authentication. An attacker can intercept a legitimate key fob transmission, such as a lock command, and use the data to synthesize an unlock or start command, enabling theft of the scooter. This attack can be performed instantly after capturing a command. Yadea has not yet released a patch for this issue. Source: Security Week SC Staff Related Vulnerability Management Discontinued D-Link routers subjected to Mirai botnet targeting SC Staff April 23, 2026 Security Affairs reports that vulnerable end-of-life D-Link DIR-823X routers impacted by the command injection flaw, tracked as CVE-2025-29635, have been targeted by Mirai botnet intrusions since early March, or about a year after the security issue was initially disclosed. Malware Nexcorium malware targets IoT devices, leverages Mirai variant for DDoS attacks SC Staff April 17, 2026 Nexcorium primarily targets video recording boxes for security cameras, particularly TBK DVR-4104 and DVR-4216 models, due to their inherent security weaknesses and infrequent updates. Government Regulations Netgear gets FCC exemption from foreign-made router ban SC Staff April 16, 2026 Cybersecurity Dive reports that Netgear has been excluded from the U.S. government's sweeping ban on foreign-made routers. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds