CVE-2024-12054

ZF Roll Stability Support Plus (RSSPlus) Authentication Bypass By Primary Weakness

CVSS 5.9 MEDIUMEPSS 0.2%CWE-305

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.9EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

13 Feb 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

ZF Roll Stability Support Plus (RSSPlus) is vulnerable to an authentication bypass vulnerability targeting deterministic RSSPlus SecurityAccess service seeds, which may allow an attacker to remotely (proximal/adjacent with RF equipment or via pivot from J2497 telematics devices) call diagnostic functions intended for workshop or repair scenarios. This can impact system availability, potentially degrading performance or erasing software, however the vehicle remains in a safe vehicle state.

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Affected products

ZF · RSSPlus 2M

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://nmfta.org/wp-content/media/2022/11/Actionable_Mitigations_Options_v9_DIST.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-03