How to fix CVE-2025-5479?

Within 24 hours: Identify all Sony XAV-AX8500 devices in your environment and document their locations and criticality. Within 7 days: Apply the available vendor patch to all affected devices, prioritizing fleet vehicles and high-use systems. Within 30 days: Verify patch deployment across all systems, update device inventory records, and consider implementing Bluetooth pairing restrictions or monitoring where operationally feasible.

Is Xav Ax8500 Firmware affected by CVE-2025-5479?

Sony XAV-AX8500 in-vehicle infotainment systems are vulnerable to remote code execution if an attacker can pair a malicious Bluetooth device, potentially compromising vehicle safety systems and user data.

CVE-2025-5479

EUVD-2025-18882 HIGH

2025-06-21 [email protected]

RCE Buffer Overflow Xav Ax8500 Firmware

7.5

CVSS 3.0

CVSS VectorNVD

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 21:35 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 21:35 euvd

EUVD-2025-18882

Patch Released

Mar 15, 2026 - 21:35 nvd

Patch available

CVE Published

Jun 21, 2025 - 01:15 nvd

HIGH 7.5

DescriptionNVD

Sony XAV-AX8500 Bluetooth AVCTP Protocol Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sony XAV-AX8500 devices. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability.

The specific flaw exists within the implementation of the Bluetooth AVCTP protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26290.

AnalysisAI

A remote code execution vulnerability (CVSS 7.5) that allows network-adjacent attackers. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Technical ContextAI

CWE-122 (Heap-based Buffer Overflow). CVSS 7.5 indicates high severity.

RemediationAI

Apply the vendor-supplied patch immediately. Consider network segmentation to limit exposure if patching is delayed.

CVE-2025-5479 vulnerability details – vuln.today

Back

CVE-2025-5479

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code