What is the CVSS score of CVE-2025-63896?

CVE-2025-63896 has a CVSS 3.1 base score of 7.6 (High). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Android are affected by CVE-2025-63896?

A HIGH severity vulnerability in automotive infotainment systems (JXL 9 Inch Car Android Double Din Players) allows attackers to inject arbitrary keystrokes through spoofed Bluetooth connections,…

Is there a public PoC exploit available for CVE-2025-63896?

Yes, a public proof-of-concept exploit is available for CVE-2025-63896. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-63896?

Within 24 hours: Inventory all affected JXL 9 Inch Car Android Double Din Player units in use and identify deployment locations. Within 7 days: Implement Bluetooth pairing restrictions and disable Bluetooth HID if not operationally required; communicate risk advisory to all users and fleet managers. Within 30 days: Monitor vendor communications for security patches; evaluate replacement or hardware retrofit options if available; document all remediation steps for compliance records.

Android CVE-2025-63896

EUVD-2025-201273 HIGH

Missing Authentication for Critical Function (CWE-306)

2025-12-04 cve@mitre.org

Authentication Bypass Google Android Jxl 9 Inch Car Android Double Din Player Firmware

7.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 16:35 euvd

EUVD-2025-201273

Analysis Generated

Mar 15, 2026 - 16:35 vuln.today

PoC Detected

Jan 22, 2026 - 15:16 vuln.today

Public exploit code

CVE Published

Dec 04, 2025 - 21:16 nvd

HIGH 7.6

DescriptionNVD

An issue in the Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to inject arbitrary keystrokes via a spoofed Bluetooth HID device.

Analysis

An issue in the Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to inject arbitrary keystrokes via a spoofed Bluetooth HID device.

Technical ContextAI

An authentication bypass vulnerability allows attackers to circumvent login mechanisms and gain unauthorized access without valid credentials. This vulnerability is classified as Missing Authentication for Critical Function (CWE-306).

RemediationAI

Implement robust authentication mechanisms. Use multi-factor authentication. Review authentication logic for bypass conditions. Remove default credentials.

More from same product – last 7 days

CVE-2026-44739 HIGH This Week

8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config

CVE-2026-8842 MEDIUM This Month

6.4 May 27

Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenti

CVE-2025-68712 MEDIUM This Month

5.5 May 27

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circum

CVE-2026-7552 MEDIUM This Month

5.3 May 28

Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration

CVE-2025-68709 MEDIUM This Month

5.2 May 26

Arbitrary JavaScript execution in SailingLab AppLock 4.3.8 for Android is triggered by a malicious co-installed app send

CVE-2025-63896 vulnerability details – vuln.today

Back