Here are some news items our team found interesting over the past week, which you might have missed.
- PCA Cyber Security developed an attack stack exploiting a stack of memory-corruption and program-logic vulnerabilities in the BlueSDK Bluetooth stack provided by OpenSynergy. PerfektBlue can compromise millions of devices that include BlueSDK, From mobile phones and portable media devices to cars. Assigned CVEs CVE-2024-45431, CVE-2024-45432, CVE-2024-45433, and CVE-2024-45434.
- Wiz discovers container escape vulnerability in the NVIDIA Container Toolkit (CVE-2025-23266). The NVIDIA customer help document explains how container definition files could exploit the vulnerable hooks during container creation.
- Grafana dashboards vulnerable to XSS, without requiring editor access. As a result of their bug bounty program, Grafana Labs repaired CVE-2025-6023, a Cross-Site Scripting (XSS) vulnerability that only requires anonymous access be enabled.
Zero Research Updates. Subscribe today!
PerfektBlue: a 1-click Remote Code Execution in millions of cars
PCA Cyber Security developed an attack stack exploiting a stack of memory-corruption and program-logic vulnerabilities in the BlueSDK Bluetooth stack provided by OpenSynergy. PerfektBlue can compromise millions of devices that include BlueSDK, From mobile phones and portable media devices to cars. Assigned CVEs CVE-2024-45431, CVE-2024-45432, CVE-2024-45433, and CVE-2024-45434.
The issues were reported to OpenSynergy in May 2024, patched in September of 2024, and then openly published after giving a long lead time for patch rollout. Patch deployment on endpoint devices is always challenging, and automotive industry patch application is particularly difficult to manage.
This 1-click RCE (Remote Code Execution) has been tested mostly using paired devices, but the researchers note that the attacks are possible before pairing, depending on the implementation of the BlueSDK stack chosen by the product developers. It was tested on Mercedes-Benz, Volkswage, Skoda, and other automotive infotainment systems.
Of interest is that only one of the CVEs rates a “Critical” (CVSS 8.0); the other vulnerabilities rate Low (CVSS 3.5) or Medium (CVSS 5.7), which is an excellent reminder that even a “non-critical” vulnerability can be a part of a high-value attack chain for an adversary.
Critical vuln (Container Escape) in NVIDIA Container Toolkit
Wiz discovered a container escape vulnerability in the NVIDIA Container Toolkit (CVE-2025-23266, CVSS 9.0). The NVIDIA customer help document explains how container definition files could exploit the vulnerable hooks during container creation.
The createContainer hook in the toolkit runs with its working directory set to the root of the container filesystem; when an attacker uses a malicious LD_PRELOAD instruction in a Dockerfile, the vulnerable systems can load an attacker-provided library, which allows the attacker to execute aribtrary code under a privileged access level.
Anonymous XSS in Grafana dashboards
Grafana dashboards are vulnerable to an XSS attack, without requiring editor access. As a result of their bug bounty program, Grafana Labs repaired CVE-2025-6023, a Cross-Site Scripting (XSS) vulnerability that only requires anonymous access be enabled.
This single vulnerability is actually a pair of weaknesses: a path traversal coupled with an open redirect. Unlike many reported XSS vulnerabilities, this does not require editor acess to be exploited, opening the door for attackers to hijack sessions, take over user accounts, or redirect legitimate users to malicious pages.
Fortunately, a fairly simple Content-Security-Policy configuration can significantly resist attacks; but users are advised to update Grafana in any case, if they’re already on Grafana 11.5.0 or newer.
Zero Research Updates. Subscribe today!