Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:A for mandatory RF proximity; UI:R because capture requires victim to actively transmit key fob signals during attacker presence; I:H for full lock-state integrity violation.
Primary rating from Vendor (ASRG).
CVSS VectorVendor: ASRG
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Remote Keyless Entry System (RKES), using the 433 MHz key fob bearing FCC ID CWTR53R0 manufactured by ALPS ALPINE CO., LTD., is vulnerable to a roll-back attack against its rolling-code authentication.
An attacker within RF range who records two consecutive lock or unlock transmissions from a legitimate key fob can later replay the same pair of transmissions repeatedly. During testing, replaying the first captured transmission caused the RKES to enter a state in which replaying the second captured transmission resulted in a successful lock or unlock operation of the vehicle. Tested and confirmed on a 2024 Suzuki Swift (SWIFT ISG GLS AC 1.2 5P 4x2 TM).
AnalysisAI
Rolling-code authentication in the Alps Alpine RKES (FCC ID CWTR53R0, 433 MHz) can be bypassed by an attacker within RF range who captures two consecutive key fob transmissions and replays them in sequence to lock or unlock the target vehicle. Replaying the first captured signal causes the receiver to enter a vulnerable state, after which replaying the second signal completes a successful unauthorized lock or unlock operation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be within 433 MHz RF reception range of the target vehicle at the moment the legitimate owner uses the key fob, and must capture exactly two consecutive lock or unlock transmissions from that session. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 6.5 Medium with AV:A appropriately constrains the attack to RF proximity, which is the primary limiting factor for mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positions a 433 MHz SDR receiver (e.g., RTL-SDR dongle with appropriate antenna) near a target vehicle in a predictable location such as a workplace parking lot. When the legitimate owner presses the key fob twice in succession - common when double-locking - the attacker records both RF transmissions. … |
| Remediation | No vendor-released patch has been identified at the time of analysis - remediation of a hardware rolling-code implementation requires either a firmware update to the RKES receiver/transmitter pair (if the module supports it) or physical hardware replacement. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39417
GHSA-2qp5-r5hx-q27p