How to fix EUVD-2025-18278?

Within 24 hours: Inventory all KIA vehicles in fleet and identify affected Soluto and other confirmed models; notify fleet operators and insurance carriers of exposure. Within 7 days: Issue security advisory to all drivers; disable remote keyless entry feature or implement alternative locking mechanisms where operationally feasible; coordinate with KIA on any available interim mitigations or recalls. Within 30 days: Develop remediation plan pending vendor patch availability; consider vehicle hardware replacement or retrofit solutions; establish monitoring for any unauthorized access incidents.

Is Cyclone Matrix TRF Smart Keyless Entry System affected by EUVD-2025-18278?

A critical vulnerability in Cyclone Matrix TRF Smart Keyless Entry Systems affects multiple KIA vehicle models, allowing attackers to replay fixed radio codes to unlock vehicles without authorization.

Cyclone Matrix TRF Smart Keyless Entry System EUVD-2025-18278

| CVE-2025-6030 CRITICAL

Authentication Bypass by Capture-replay (CWE-294)

2025-06-13 [email protected]

Information Disclosure

9.4

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18278

CVE Published

Jun 13, 2025 - 15:15 nvd

CRITICAL 9.4

DescriptionNVD

Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack.

Research was completed on the 2024 KIA Soluto. Attack confirmed on other KIA Models in Ecuador.

AnalysisAI

Critical replay attack vulnerability in the Cyclone Matrix TRF Smart Keyless Entry System used in KIA vehicles, stemming from the use of fixed, predictable learning codes for lock/unlock operations. Attackers within wireless range can capture and replay these codes to lock or unlock affected vehicles without authentication. The vulnerability has been confirmed on 2024 KIA Soluto and other KIA models in Ecuador, with a CVSS score of 9.4 indicating severe impact across confidentiality, integrity, and availability of vehicle functions.

Technical ContextAI

The Cyclone Matrix TRF (Transmitter RF) Smart Keyless Entry System implements a wireless key fob communication protocol that uses static, non-rolling learning codes to authorize lock and unlock commands. The root cause is classified under CWE-294 (Use of Authentication with Hard-Coded Credentials), though the core issue is the absence of cryptographic rolling codes or replay protection mechanisms. Rather than employing rolling code algorithms (standard in modern automotive keyless systems since the 1990s), this system relies on fixed codes transmitted over RF, making it vulnerable to simple capture-and-replay attacks. The affected components are the Key Fob Transmitter hardware and the vehicle's RF receiver module which fail to implement anti-replay protections such as challenge-response authentication, timestamp validation, or sequence number tracking. This affects wireless keyless entry systems across multiple KIA vehicle platforms that utilize this third-party Cyclone Matrix component.

RemediationAI

No patches or firmware updates are currently available in public vulnerability databases or referenced vendor advisories. Immediate remediation options are limited: (1) Hardware replacement of the Key Fob Transmitter and receiver module with a compliant unit supporting rolling codes (requires OEM parts and service); (2) Operational mitigations—users should park in secure locations, disable wireless unlock if vehicle firmware allows reverting to manual key operation, and consider aftermarket steering wheel locks or GPS tracking; (3) OEM recall—KIA should issue a mandatory recall with replacement keyless entry systems or firmware patches that implement rolling code/anti-replay protections, though no recall has been announced. Contact KIA dealership or regional service center for vehicle-specific guidance. Monitor KIA's official security advisories and NHTSA (National Highway Traffic Safety Administration) for recall notices. Affected fleet operators should temporarily restrict wireless keyless use pending OEM remediation.

EUVD-2025-18278 vulnerability details – vuln.today

Back