Skip to main content

Alps Alpine RKES CVE-2026-49319

| EUVDEUVD-2026-39417 MEDIUM
Authentication Bypass by Capture-replay (CWE-294)
2026-06-25 ASRG GHSA-2qp5-r5hx-q27p
6.9
CVSS 4.0 · Vendor: ASRG
Share

Severity by source

Vendor (ASRG) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.7 MEDIUM

AV:A for mandatory RF proximity; UI:R because capture requires victim to actively transmit key fob signals during attacker presence; I:H for full lock-state integrity violation.

3.1 AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (ASRG).

CVSS VectorVendor: ASRG

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 25, 2026 - 15:22 NVD
6.5 (MEDIUM) 6.9 (MEDIUM)
Analysis Generated
Jun 25, 2026 - 15:19 vuln.today

DescriptionCVE.org

Remote Keyless Entry System (RKES), using the 433 MHz key fob bearing FCC ID CWTR53R0 manufactured by ALPS ALPINE CO., LTD., is vulnerable to a roll-back attack against its rolling-code authentication.

An attacker within RF range who records two consecutive lock or unlock transmissions from a legitimate key fob can later replay the same pair of transmissions repeatedly. During testing, replaying the first captured transmission caused the RKES to enter a state in which replaying the second captured transmission resulted in a successful lock or unlock operation of the vehicle. Tested and confirmed on a 2024 Suzuki Swift (SWIFT ISG GLS AC 1.2 5P 4x2 TM).

AnalysisAI

Rolling-code authentication in the Alps Alpine RKES (FCC ID CWTR53R0, 433 MHz) can be bypassed by an attacker within RF range who captures two consecutive key fob transmissions and replays them in sequence to lock or unlock the target vehicle. Replaying the first captured signal causes the receiver to enter a vulnerable state, after which replaying the second signal completes a successful unauthorized lock or unlock operation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Position SDR receiver within 433 MHz range of target vehicle
Delivery
Wait for legitimate owner to press key fob
Exploit
Capture first consecutive RF transmission
Install
Capture second consecutive RF transmission
C2
Return to vehicle when owner is absent
Execute
Replay first captured transmission to prime receiver state
Impact
Replay second captured transmission to unlock vehicle

Vulnerability AssessmentAI

Exploitation The attacker must be within 433 MHz RF reception range of the target vehicle at the moment the legitimate owner uses the key fob, and must capture exactly two consecutive lock or unlock transmissions from that session. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 Medium with AV:A appropriately constrains the attack to RF proximity, which is the primary limiting factor for mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positions a 433 MHz SDR receiver (e.g., RTL-SDR dongle with appropriate antenna) near a target vehicle in a predictable location such as a workplace parking lot. When the legitimate owner presses the key fob twice in succession - common when double-locking - the attacker records both RF transmissions. …
Remediation No vendor-released patch has been identified at the time of analysis - remediation of a hardware rolling-code implementation requires either a firmware update to the RKES receiver/transmitter pair (if the module supports it) or physical hardware replacement. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49319 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy