Superb 3 Firmware
CVE-2023-28897
MEDIUM
Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware.
Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.
AnalysisAI
The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Use of Hard-coded Credentials (CWE-798), which allows attackers to gain access using credentials embedded in source code. The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022. Affected products include: Skoda-Auto Superb 3 Firmware.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Remove hard-coded credentials, use environment variables or secrets management, rotate exposed credentials immediately.
More in Superb 3 Firmware
View allThe Real-Time Streaming Protocol implementation in the MIB3 infotainment incorrectly handles requests to /logs URI, when
By sending a specific reset UDS request via OBDII port of Skoda vehicles, it is possible to cause vehicle engine shutdow
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today