Search criteria
25 vulnerabilities found for dmx958xr by jvckenwood
VAR-202508-0143
Vulnerability from variot - Updated: 2025-09-08 23:25Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26263. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0143",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-788"
},
{
"db": "CNVD",
"id": "CNVD-2025-20420"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011085"
},
{
"db": "NVD",
"id": "CVE-2025-8640"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-788"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8640",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20420",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8640",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011085",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8640",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8640",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011085",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8640",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20420",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-788"
},
{
"db": "CNVD",
"id": "CNVD-2025-20420"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011085"
},
{
"db": "NVD",
"id": "CVE-2025-8640"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26263. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8640"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011085"
},
{
"db": "ZDI",
"id": "ZDI-25-788"
},
{
"db": "CNVD",
"id": "CNVD-2025-20420"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8640",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-788",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011085",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26263",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20420",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-788"
},
{
"db": "CNVD",
"id": "CNVD-2025-20420"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011085"
},
{
"db": "NVD",
"id": "CVE-2025-8640"
}
]
},
"id": "VAR-202508-0143",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20420"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20420"
}
]
},
"last_update_date": "2025-09-08T23:25:57.595000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011085"
},
{
"db": "NVD",
"id": "CVE-2025-8640"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-788/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8640"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20420"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011085"
},
{
"db": "NVD",
"id": "CVE-2025-8640"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-788"
},
{
"db": "CNVD",
"id": "CNVD-2025-20420"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011085"
},
{
"db": "NVD",
"id": "CVE-2025-8640"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-788"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20420"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011085"
},
{
"date": "2025-08-06T02:15:52.193000",
"db": "NVD",
"id": "CVE-2025-8640"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-788"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20420"
},
{
"date": "2025-08-08T09:01:00",
"db": "JVNDB",
"id": "JVNDB-2025-011085"
},
{
"date": "2025-08-07T16:54:00.050000",
"db": "NVD",
"id": "CVE-2025-8640"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011085"
}
],
"trust": 0.8
}
}
VAR-202508-0141
Vulnerability from variot - Updated: 2025-09-08 23:25Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26270. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0141",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-795"
},
{
"db": "CNVD",
"id": "CNVD-2025-20288"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011099"
},
{
"db": "NVD",
"id": "CVE-2025-8647"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-795"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8647",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2025-20288",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8647",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011099",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8647",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8647",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011099",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8647",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20288",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-795"
},
{
"db": "CNVD",
"id": "CNVD-2025-20288"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011099"
},
{
"db": "NVD",
"id": "CVE-2025-8647"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26270. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8647"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011099"
},
{
"db": "ZDI",
"id": "ZDI-25-795"
},
{
"db": "CNVD",
"id": "CNVD-2025-20288"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8647",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-795",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011099",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26270",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20288",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-795"
},
{
"db": "CNVD",
"id": "CNVD-2025-20288"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011099"
},
{
"db": "NVD",
"id": "CVE-2025-8647"
}
]
},
"id": "VAR-202508-0141",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20288"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20288"
}
]
},
"last_update_date": "2025-09-08T23:25:35.637000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011099"
},
{
"db": "NVD",
"id": "CVE-2025-8647"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-795/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8647"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20288"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011099"
},
{
"db": "NVD",
"id": "CVE-2025-8647"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-795"
},
{
"db": "CNVD",
"id": "CNVD-2025-20288"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011099"
},
{
"db": "NVD",
"id": "CVE-2025-8647"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-795"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20288"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011099"
},
{
"date": "2025-08-06T02:15:53.220000",
"db": "NVD",
"id": "CVE-2025-8647"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-795"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20288"
},
{
"date": "2025-08-08T09:04:00",
"db": "JVNDB",
"id": "JVNDB-2025-011099"
},
{
"date": "2025-08-07T16:51:21.713000",
"db": "NVD",
"id": "CVE-2025-8647"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011099"
}
],
"trust": 0.8
}
}
VAR-202508-0124
Vulnerability from variot - Updated: 2025-09-08 23:23Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26253. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0124",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-778"
},
{
"db": "CNVD",
"id": "CNVD-2025-20422"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011015"
},
{
"db": "NVD",
"id": "CVE-2025-8630"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-778"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8630",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20422",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8630",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011015",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8630",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8630",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011015",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8630",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20422",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-778"
},
{
"db": "CNVD",
"id": "CNVD-2025-20422"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011015"
},
{
"db": "NVD",
"id": "CVE-2025-8630"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26253. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8630"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011015"
},
{
"db": "ZDI",
"id": "ZDI-25-778"
},
{
"db": "CNVD",
"id": "CNVD-2025-20422"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8630",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-778",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011015",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26253",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20422",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-778"
},
{
"db": "CNVD",
"id": "CNVD-2025-20422"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011015"
},
{
"db": "NVD",
"id": "CVE-2025-8630"
}
]
},
"id": "VAR-202508-0124",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20422"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20422"
}
]
},
"last_update_date": "2025-09-08T23:23:48.798000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011015"
},
{
"db": "NVD",
"id": "CVE-2025-8630"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-778/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8630"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20422"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011015"
},
{
"db": "NVD",
"id": "CVE-2025-8630"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-778"
},
{
"db": "CNVD",
"id": "CNVD-2025-20422"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011015"
},
{
"db": "NVD",
"id": "CVE-2025-8630"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-778"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20422"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011015"
},
{
"date": "2025-08-06T02:15:50.723000",
"db": "NVD",
"id": "CVE-2025-8630"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-778"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20422"
},
{
"date": "2025-08-08T06:48:00",
"db": "JVNDB",
"id": "JVNDB-2025-011015"
},
{
"date": "2025-08-07T17:01:27.123000",
"db": "NVD",
"id": "CVE-2025-8630"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011015"
}
],
"trust": 0.8
}
}
VAR-202508-0173
Vulnerability from variot - Updated: 2025-09-08 23:23Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26254. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0173",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-779"
},
{
"db": "CNVD",
"id": "CNVD-2025-20424"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011090"
},
{
"db": "NVD",
"id": "CVE-2025-8631"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-779"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8631",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20424",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8631",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011090",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8631",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8631",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011090",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8631",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20424",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-779"
},
{
"db": "CNVD",
"id": "CNVD-2025-20424"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011090"
},
{
"db": "NVD",
"id": "CVE-2025-8631"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26254. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8631"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011090"
},
{
"db": "ZDI",
"id": "ZDI-25-779"
},
{
"db": "CNVD",
"id": "CNVD-2025-20424"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8631",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-779",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011090",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26254",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20424",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-779"
},
{
"db": "CNVD",
"id": "CNVD-2025-20424"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011090"
},
{
"db": "NVD",
"id": "CVE-2025-8631"
}
]
},
"id": "VAR-202508-0173",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20424"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20424"
}
]
},
"last_update_date": "2025-09-08T23:23:07.990000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011090"
},
{
"db": "NVD",
"id": "CVE-2025-8631"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-779/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8631"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011090"
},
{
"db": "NVD",
"id": "CVE-2025-8631"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-779"
},
{
"db": "CNVD",
"id": "CNVD-2025-20424"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011090"
},
{
"db": "NVD",
"id": "CVE-2025-8631"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-779"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20424"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011090"
},
{
"date": "2025-08-06T02:15:50.873000",
"db": "NVD",
"id": "CVE-2025-8631"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-779"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20424"
},
{
"date": "2025-08-08T09:01:00",
"db": "JVNDB",
"id": "JVNDB-2025-011090"
},
{
"date": "2025-08-07T17:00:45.080000",
"db": "NVD",
"id": "CVE-2025-8631"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011090"
}
],
"trust": 0.8
}
}
VAR-202508-0150
Vulnerability from variot - Updated: 2025-09-08 23:21Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26262. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0150",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-787"
},
{
"db": "CNVD",
"id": "CNVD-2025-20423"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011086"
},
{
"db": "NVD",
"id": "CVE-2025-8639"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-787"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8639",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20423",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8639",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011086",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8639",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8639",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011086",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8639",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20423",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-787"
},
{
"db": "CNVD",
"id": "CNVD-2025-20423"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011086"
},
{
"db": "NVD",
"id": "CVE-2025-8639"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26262. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8639"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011086"
},
{
"db": "ZDI",
"id": "ZDI-25-787"
},
{
"db": "CNVD",
"id": "CNVD-2025-20423"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8639",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-787",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011086",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26262",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20423",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-787"
},
{
"db": "CNVD",
"id": "CNVD-2025-20423"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011086"
},
{
"db": "NVD",
"id": "CVE-2025-8639"
}
]
},
"id": "VAR-202508-0150",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20423"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20423"
}
]
},
"last_update_date": "2025-09-08T23:21:36.622000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011086"
},
{
"db": "NVD",
"id": "CVE-2025-8639"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-787/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8639"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20423"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011086"
},
{
"db": "NVD",
"id": "CVE-2025-8639"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-787"
},
{
"db": "CNVD",
"id": "CNVD-2025-20423"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011086"
},
{
"db": "NVD",
"id": "CVE-2025-8639"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-787"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20423"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011086"
},
{
"date": "2025-08-06T02:15:52.050000",
"db": "NVD",
"id": "CVE-2025-8639"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-787"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20423"
},
{
"date": "2025-08-08T09:01:00",
"db": "JVNDB",
"id": "JVNDB-2025-011086"
},
{
"date": "2025-08-07T16:54:13.987000",
"db": "NVD",
"id": "CVE-2025-8639"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011086"
}
],
"trust": 0.8
}
}
VAR-202508-0196
Vulnerability from variot - Updated: 2025-09-08 23:20Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26271. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0196",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-796"
},
{
"db": "CNVD",
"id": "CNVD-2025-20421"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011098"
},
{
"db": "NVD",
"id": "CVE-2025-8648"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-796"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8648",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20421",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8648",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011098",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8648",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8648",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011098",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8648",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20421",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-796"
},
{
"db": "CNVD",
"id": "CNVD-2025-20421"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011098"
},
{
"db": "NVD",
"id": "CVE-2025-8648"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26271. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8648"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011098"
},
{
"db": "ZDI",
"id": "ZDI-25-796"
},
{
"db": "CNVD",
"id": "CNVD-2025-20421"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8648",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-796",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011098",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26271",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20421",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-796"
},
{
"db": "CNVD",
"id": "CNVD-2025-20421"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011098"
},
{
"db": "NVD",
"id": "CVE-2025-8648"
}
]
},
"id": "VAR-202508-0196",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20421"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20421"
}
]
},
"last_update_date": "2025-09-08T23:20:37.360000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011098"
},
{
"db": "NVD",
"id": "CVE-2025-8648"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-796/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8648"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20421"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011098"
},
{
"db": "NVD",
"id": "CVE-2025-8648"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-796"
},
{
"db": "CNVD",
"id": "CNVD-2025-20421"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011098"
},
{
"db": "NVD",
"id": "CVE-2025-8648"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-796"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20421"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011098"
},
{
"date": "2025-08-06T02:15:53.367000",
"db": "NVD",
"id": "CVE-2025-8648"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-796"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20421"
},
{
"date": "2025-08-08T09:03:00",
"db": "JVNDB",
"id": "JVNDB-2025-011098"
},
{
"date": "2025-08-07T16:51:12.960000",
"db": "NVD",
"id": "CVE-2025-8648"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011098"
}
],
"trust": 0.8
}
}
VAR-202508-0188
Vulnerability from variot - Updated: 2025-09-08 23:18Kenwood DMX958XR ReadMVGImage Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the ReadMVGImage function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26313. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0188",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0509.3100"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-802"
},
{
"db": "CNVD",
"id": "CNVD-2025-20287"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011017"
},
{
"db": "NVD",
"id": "CVE-2025-8654"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Viettel Cyber Security",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-802"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8654",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "CNVD-2025-20287",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2025-8654",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Adjacent Network",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011017",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2025-8654",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8654",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011017",
"trust": 0.8,
"value": "High"
},
{
"author": "ZDI",
"id": "CVE-2025-8654",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2025-20287",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-802"
},
{
"db": "CNVD",
"id": "CNVD-2025-20287"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011017"
},
{
"db": "NVD",
"id": "CVE-2025-8654"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR ReadMVGImage Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the ReadMVGImage function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26313. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8654"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011017"
},
{
"db": "ZDI",
"id": "ZDI-25-802"
},
{
"db": "CNVD",
"id": "CNVD-2025-20287"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8654",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-802",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011017",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26313",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20287",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-802"
},
{
"db": "CNVD",
"id": "CNVD-2025-20287"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011017"
},
{
"db": "NVD",
"id": "CVE-2025-8654"
}
]
},
"id": "VAR-202508-0188",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20287"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20287"
}
]
},
"last_update_date": "2025-09-08T23:18:51.908000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011017"
},
{
"db": "NVD",
"id": "CVE-2025-8654"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-802/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8654"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20287"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011017"
},
{
"db": "NVD",
"id": "CVE-2025-8654"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-802"
},
{
"db": "CNVD",
"id": "CNVD-2025-20287"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011017"
},
{
"db": "NVD",
"id": "CVE-2025-8654"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-802"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20287"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011017"
},
{
"date": "2025-08-06T02:15:54.227000",
"db": "NVD",
"id": "CVE-2025-8654"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-802"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20287"
},
{
"date": "2025-08-08T07:05:00",
"db": "JVNDB",
"id": "JVNDB-2025-011017"
},
{
"date": "2025-08-07T16:50:12.847000",
"db": "NVD",
"id": "CVE-2025-8654"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011017"
}
],
"trust": 0.8
}
}
VAR-202508-0158
Vulnerability from variot - Updated: 2025-09-08 23:17Kenwood DMX958XR libSystemLib Command injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26314. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0158",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0509.3100"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-803"
},
{
"db": "CNVD",
"id": "CNVD-2025-20426"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011094"
},
{
"db": "NVD",
"id": "CVE-2025-8655"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Synacktiv",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-803"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8655",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20426",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8655",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011094",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8655",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8655",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011094",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8655",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20426",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-803"
},
{
"db": "CNVD",
"id": "CNVD-2025-20426"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011094"
},
{
"db": "NVD",
"id": "CVE-2025-8655"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR libSystemLib Command injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26314. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8655"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011094"
},
{
"db": "ZDI",
"id": "ZDI-25-803"
},
{
"db": "CNVD",
"id": "CNVD-2025-20426"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8655",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-803",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011094",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26314",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20426",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-803"
},
{
"db": "CNVD",
"id": "CNVD-2025-20426"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011094"
},
{
"db": "NVD",
"id": "CVE-2025-8655"
}
]
},
"id": "VAR-202508-0158",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20426"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20426"
}
]
},
"last_update_date": "2025-09-08T23:17:53.426000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011094"
},
{
"db": "NVD",
"id": "CVE-2025-8655"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-803/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8655"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20426"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011094"
},
{
"db": "NVD",
"id": "CVE-2025-8655"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-803"
},
{
"db": "CNVD",
"id": "CNVD-2025-20426"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011094"
},
{
"db": "NVD",
"id": "CVE-2025-8655"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-803"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20426"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011094"
},
{
"date": "2025-08-06T02:15:54.367000",
"db": "NVD",
"id": "CVE-2025-8655"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-803"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20426"
},
{
"date": "2025-08-08T09:03:00",
"db": "JVNDB",
"id": "JVNDB-2025-011094"
},
{
"date": "2025-08-07T16:50:03.660000",
"db": "NVD",
"id": "CVE-2025-8655"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011094"
}
],
"trust": 0.8
}
}
VAR-202508-0140
Vulnerability from variot - Updated: 2025-09-08 23:17Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the JKWifiService. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26307. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0140",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0509.3100"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-799"
},
{
"db": "CNVD",
"id": "CNVD-2025-20285"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011095"
},
{
"db": "NVD",
"id": "CVE-2025-8651"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Evan Grant",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-799"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8651",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20285",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8651",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011095",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8651",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8651",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011095",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8651",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20285",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-799"
},
{
"db": "CNVD",
"id": "CNVD-2025-20285"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011095"
},
{
"db": "NVD",
"id": "CVE-2025-8651"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the JKWifiService. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26307. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8651"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011095"
},
{
"db": "ZDI",
"id": "ZDI-25-799"
},
{
"db": "CNVD",
"id": "CNVD-2025-20285"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8651",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-799",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011095",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26307",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20285",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-799"
},
{
"db": "CNVD",
"id": "CNVD-2025-20285"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011095"
},
{
"db": "NVD",
"id": "CVE-2025-8651"
}
]
},
"id": "VAR-202508-0140",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20285"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20285"
}
]
},
"last_update_date": "2025-09-08T23:17:30.934000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011095"
},
{
"db": "NVD",
"id": "CVE-2025-8651"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-799/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8651"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20285"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011095"
},
{
"db": "NVD",
"id": "CVE-2025-8651"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-799"
},
{
"db": "CNVD",
"id": "CNVD-2025-20285"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011095"
},
{
"db": "NVD",
"id": "CVE-2025-8651"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-799"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20285"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011095"
},
{
"date": "2025-08-06T02:15:53.797000",
"db": "NVD",
"id": "CVE-2025-8651"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-799"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20285"
},
{
"date": "2025-08-08T09:03:00",
"db": "JVNDB",
"id": "JVNDB-2025-011095"
},
{
"date": "2025-08-07T16:50:34.797000",
"db": "NVD",
"id": "CVE-2025-8651"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011095"
}
],
"trust": 0.8
}
}
VAR-202508-0123
Vulnerability from variot - Updated: 2025-09-08 23:16Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26257. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0123",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-782"
},
{
"db": "CNVD",
"id": "CNVD-2025-20298"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011024"
},
{
"db": "NVD",
"id": "CVE-2025-8634"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-782"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8634",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20298",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8634",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011024",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8634",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8634",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011024",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8634",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20298",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-782"
},
{
"db": "CNVD",
"id": "CNVD-2025-20298"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011024"
},
{
"db": "NVD",
"id": "CVE-2025-8634"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26257. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8634"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011024"
},
{
"db": "ZDI",
"id": "ZDI-25-782"
},
{
"db": "CNVD",
"id": "CNVD-2025-20298"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8634",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-782",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011024",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26257",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20298",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-782"
},
{
"db": "CNVD",
"id": "CNVD-2025-20298"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011024"
},
{
"db": "NVD",
"id": "CVE-2025-8634"
}
]
},
"id": "VAR-202508-0123",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20298"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20298"
}
]
},
"last_update_date": "2025-09-08T23:16:47.331000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011024"
},
{
"db": "NVD",
"id": "CVE-2025-8634"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-782/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8634"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20298"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011024"
},
{
"db": "NVD",
"id": "CVE-2025-8634"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-782"
},
{
"db": "CNVD",
"id": "CNVD-2025-20298"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011024"
},
{
"db": "NVD",
"id": "CVE-2025-8634"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-782"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20298"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011024"
},
{
"date": "2025-08-06T02:15:51.323000",
"db": "NVD",
"id": "CVE-2025-8634"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-782"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20298"
},
{
"date": "2025-08-08T07:05:00",
"db": "JVNDB",
"id": "JVNDB-2025-011024"
},
{
"date": "2025-08-07T16:54:46.160000",
"db": "NVD",
"id": "CVE-2025-8634"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011024"
}
],
"trust": 0.8
}
}
VAR-202508-0144
Vulnerability from variot - Updated: 2025-09-08 23:16Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26259. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0144",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-784"
},
{
"db": "CNVD",
"id": "CNVD-2025-20419"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011023"
},
{
"db": "NVD",
"id": "CVE-2025-8636"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-784"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8636",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20419",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8636",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011023",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8636",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8636",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011023",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8636",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20419",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-784"
},
{
"db": "CNVD",
"id": "CNVD-2025-20419"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011023"
},
{
"db": "NVD",
"id": "CVE-2025-8636"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26259. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8636"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011023"
},
{
"db": "ZDI",
"id": "ZDI-25-784"
},
{
"db": "CNVD",
"id": "CNVD-2025-20419"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8636",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-784",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011023",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26259",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20419",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-784"
},
{
"db": "CNVD",
"id": "CNVD-2025-20419"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011023"
},
{
"db": "NVD",
"id": "CVE-2025-8636"
}
]
},
"id": "VAR-202508-0144",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20419"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20419"
}
]
},
"last_update_date": "2025-09-08T23:16:47.305000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011023"
},
{
"db": "NVD",
"id": "CVE-2025-8636"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-784/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8636"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20419"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011023"
},
{
"db": "NVD",
"id": "CVE-2025-8636"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-784"
},
{
"db": "CNVD",
"id": "CNVD-2025-20419"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011023"
},
{
"db": "NVD",
"id": "CVE-2025-8636"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-784"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20419"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011023"
},
{
"date": "2025-08-06T02:15:51.617000",
"db": "NVD",
"id": "CVE-2025-8636"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-784"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20419"
},
{
"date": "2025-08-08T07:05:00",
"db": "JVNDB",
"id": "JVNDB-2025-011023"
},
{
"date": "2025-08-07T16:54:33.363000",
"db": "NVD",
"id": "CVE-2025-8636"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011023"
}
],
"trust": 0.8
}
}
VAR-202508-0149
Vulnerability from variot - Updated: 2025-09-08 23:14Kenwood DMX958XR libSystemLib Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26306. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0149",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0509.3100"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-798"
},
{
"db": "CNVD",
"id": "CNVD-2025-20286"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011096"
},
{
"db": "NVD",
"id": "CVE-2025-8650"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-798"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8650",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20286",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8650",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011096",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8650",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8650",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011096",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8650",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20286",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-798"
},
{
"db": "CNVD",
"id": "CNVD-2025-20286"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011096"
},
{
"db": "NVD",
"id": "CVE-2025-8650"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR libSystemLib Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26306. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8650"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011096"
},
{
"db": "ZDI",
"id": "ZDI-25-798"
},
{
"db": "CNVD",
"id": "CNVD-2025-20286"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8650",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-798",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011096",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26306",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20286",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-798"
},
{
"db": "CNVD",
"id": "CNVD-2025-20286"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011096"
},
{
"db": "NVD",
"id": "CVE-2025-8650"
}
]
},
"id": "VAR-202508-0149",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20286"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20286"
}
]
},
"last_update_date": "2025-09-08T23:14:51.390000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011096"
},
{
"db": "NVD",
"id": "CVE-2025-8650"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-798/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8650"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20286"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011096"
},
{
"db": "NVD",
"id": "CVE-2025-8650"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-798"
},
{
"db": "CNVD",
"id": "CNVD-2025-20286"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011096"
},
{
"db": "NVD",
"id": "CVE-2025-8650"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-798"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20286"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011096"
},
{
"date": "2025-08-06T02:15:53.650000",
"db": "NVD",
"id": "CVE-2025-8650"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-798"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20286"
},
{
"date": "2025-08-08T09:03:00",
"db": "JVNDB",
"id": "JVNDB-2025-011096"
},
{
"date": "2025-08-07T16:50:47.567000",
"db": "NVD",
"id": "CVE-2025-8650"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011096"
}
],
"trust": 0.8
}
}
VAR-202508-0197
Vulnerability from variot - Updated: 2025-09-08 23:11Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26252. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0197",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-777"
},
{
"db": "CNVD",
"id": "CNVD-2025-20425"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011091"
},
{
"db": "NVD",
"id": "CVE-2025-8629"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-777"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8629",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20425",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8629",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011091",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8629",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8629",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011091",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8629",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20425",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-777"
},
{
"db": "CNVD",
"id": "CNVD-2025-20425"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011091"
},
{
"db": "NVD",
"id": "CVE-2025-8629"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26252. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8629"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011091"
},
{
"db": "ZDI",
"id": "ZDI-25-777"
},
{
"db": "CNVD",
"id": "CNVD-2025-20425"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8629",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-777",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011091",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26252",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20425",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-777"
},
{
"db": "CNVD",
"id": "CNVD-2025-20425"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011091"
},
{
"db": "NVD",
"id": "CVE-2025-8629"
}
]
},
"id": "VAR-202508-0197",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20425"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20425"
}
]
},
"last_update_date": "2025-09-08T23:11:17.375000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011091"
},
{
"db": "NVD",
"id": "CVE-2025-8629"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-777/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8629"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20425"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011091"
},
{
"db": "NVD",
"id": "CVE-2025-8629"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-777"
},
{
"db": "CNVD",
"id": "CNVD-2025-20425"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011091"
},
{
"db": "NVD",
"id": "CVE-2025-8629"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-777"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20425"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011091"
},
{
"date": "2025-08-06T02:15:50.573000",
"db": "NVD",
"id": "CVE-2025-8629"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-777"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20425"
},
{
"date": "2025-08-08T09:01:00",
"db": "JVNDB",
"id": "JVNDB-2025-011091"
},
{
"date": "2025-08-07T17:02:14.393000",
"db": "NVD",
"id": "CVE-2025-8629"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011091"
}
],
"trust": 0.8
}
}
VAR-202508-0148
Vulnerability from variot - Updated: 2025-09-08 23:10Kenwood DMX958XR JKRadioService Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Kenwood DMX958XR. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the JKRadioService. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26312. JVCKENWOOD Corporation of DMX958XR A stack-based buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0148",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0509.3100"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-801"
},
{
"db": "CNVD",
"id": "CNVD-2025-20284"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011018"
},
{
"db": "NVD",
"id": "CVE-2025-8653"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "hama7230",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-801"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8653",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "CNVD-2025-20284",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2025-8653",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Adjacent Network",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011018",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2025-8653",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8653",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011018",
"trust": 0.8,
"value": "High"
},
{
"author": "ZDI",
"id": "CVE-2025-8653",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2025-20284",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-801"
},
{
"db": "CNVD",
"id": "CNVD-2025-20284"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011018"
},
{
"db": "NVD",
"id": "CVE-2025-8653"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR JKRadioService Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Kenwood DMX958XR. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the JKRadioService. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26312. JVCKENWOOD Corporation of DMX958XR A stack-based buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8653"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011018"
},
{
"db": "ZDI",
"id": "ZDI-25-801"
},
{
"db": "CNVD",
"id": "CNVD-2025-20284"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8653",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-801",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011018",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26312",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20284",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-801"
},
{
"db": "CNVD",
"id": "CNVD-2025-20284"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011018"
},
{
"db": "NVD",
"id": "CVE-2025-8653"
}
]
},
"id": "VAR-202508-0148",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20284"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20284"
}
]
},
"last_update_date": "2025-09-08T23:10:23.488000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-121",
"trust": 1.0
},
{
"problemtype": "Stack-based buffer overflow (CWE-121) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011018"
},
{
"db": "NVD",
"id": "CVE-2025-8653"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-801/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8653"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20284"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011018"
},
{
"db": "NVD",
"id": "CVE-2025-8653"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-801"
},
{
"db": "CNVD",
"id": "CNVD-2025-20284"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011018"
},
{
"db": "NVD",
"id": "CVE-2025-8653"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-801"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20284"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011018"
},
{
"date": "2025-08-06T02:15:54.083000",
"db": "NVD",
"id": "CVE-2025-8653"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-801"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20284"
},
{
"date": "2025-08-08T07:05:00",
"db": "JVNDB",
"id": "JVNDB-2025-011018"
},
{
"date": "2025-08-07T16:53:22.800000",
"db": "NVD",
"id": "CVE-2025-8653"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 Stack-based buffer overflow vulnerability in firmware",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011018"
}
],
"trust": 0.8
}
}
VAR-202508-0109
Vulnerability from variot - Updated: 2025-09-08 23:07Kenwood DMX958XR Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows physically present attackers to downgrade software on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the libSystemLib library. The issue results from the lack of proper validation of version information before performing an update. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-26355. JVCKENWOOD Corporation of DMX958XR The firmware contains vulnerabilities related to the failure of protection mechanisms.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0109",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0509.3100"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-804"
},
{
"db": "CNVD",
"id": "CNVD-2025-20283"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011093"
},
{
"db": "NVD",
"id": "CVE-2025-8656"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Synacktiv",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-804"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8656",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20283",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8656",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011093",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8656",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8656",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011093",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8656",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20283",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-804"
},
{
"db": "CNVD",
"id": "CNVD-2025-20283"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011093"
},
{
"db": "NVD",
"id": "CVE-2025-8656"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows physically present attackers to downgrade software on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the libSystemLib library. The issue results from the lack of proper validation of version information before performing an update. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-26355. JVCKENWOOD Corporation of DMX958XR The firmware contains vulnerabilities related to the failure of protection mechanisms.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8656"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011093"
},
{
"db": "ZDI",
"id": "ZDI-25-804"
},
{
"db": "CNVD",
"id": "CNVD-2025-20283"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8656",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-804",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011093",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26355",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20283",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-804"
},
{
"db": "CNVD",
"id": "CNVD-2025-20283"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011093"
},
{
"db": "NVD",
"id": "CVE-2025-8656"
}
]
},
"id": "VAR-202508-0109",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20283"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20283"
}
]
},
"last_update_date": "2025-09-08T23:07:39.326000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-693",
"trust": 1.0
},
{
"problemtype": "Malfunction of protection mechanism (CWE-693) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011093"
},
{
"db": "NVD",
"id": "CVE-2025-8656"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-804/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8656"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20283"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011093"
},
{
"db": "NVD",
"id": "CVE-2025-8656"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-804"
},
{
"db": "CNVD",
"id": "CNVD-2025-20283"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011093"
},
{
"db": "NVD",
"id": "CVE-2025-8656"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-804"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20283"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011093"
},
{
"date": "2025-08-06T02:15:54.517000",
"db": "NVD",
"id": "CVE-2025-8656"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-804"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20283"
},
{
"date": "2025-08-08T09:03:00",
"db": "JVNDB",
"id": "JVNDB-2025-011093"
},
{
"date": "2025-08-07T16:49:34.430000",
"db": "NVD",
"id": "CVE-2025-8656"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 Vulnerabilities related to flaws in protection mechanisms in firmware",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011093"
}
],
"trust": 0.8
}
}
VAR-202508-0172
Vulnerability from variot - Updated: 2025-09-08 23:07Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26269. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0172",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-794"
},
{
"db": "CNVD",
"id": "CNVD-2025-20301"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011100"
},
{
"db": "NVD",
"id": "CVE-2025-8646"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-794"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8646",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20301",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8646",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011100",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8646",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8646",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011100",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8646",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20301",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-794"
},
{
"db": "CNVD",
"id": "CNVD-2025-20301"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011100"
},
{
"db": "NVD",
"id": "CVE-2025-8646"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26269. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8646"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011100"
},
{
"db": "ZDI",
"id": "ZDI-25-794"
},
{
"db": "CNVD",
"id": "CNVD-2025-20301"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8646",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-794",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011100",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26269",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20301",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-794"
},
{
"db": "CNVD",
"id": "CNVD-2025-20301"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011100"
},
{
"db": "NVD",
"id": "CVE-2025-8646"
}
]
},
"id": "VAR-202508-0172",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20301"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20301"
}
]
},
"last_update_date": "2025-09-08T23:07:39.297000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011100"
},
{
"db": "NVD",
"id": "CVE-2025-8646"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-794/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8646"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20301"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011100"
},
{
"db": "NVD",
"id": "CVE-2025-8646"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-794"
},
{
"db": "CNVD",
"id": "CNVD-2025-20301"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011100"
},
{
"db": "NVD",
"id": "CVE-2025-8646"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-794"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20301"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011100"
},
{
"date": "2025-08-06T02:15:53.073000",
"db": "NVD",
"id": "CVE-2025-8646"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-794"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20301"
},
{
"date": "2025-08-08T09:04:00",
"db": "JVNDB",
"id": "JVNDB-2025-011100"
},
{
"date": "2025-08-07T16:51:31.050000",
"db": "NVD",
"id": "CVE-2025-8646"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011100"
}
],
"trust": 0.8
}
}
VAR-202508-0142
Vulnerability from variot - Updated: 2025-09-08 23:03Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26266. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0142",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-791"
},
{
"db": "CNVD",
"id": "CNVD-2025-20427"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011020"
},
{
"db": "NVD",
"id": "CVE-2025-8643"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-791"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8643",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20427",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8643",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011020",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8643",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8643",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011020",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8643",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20427",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-791"
},
{
"db": "CNVD",
"id": "CNVD-2025-20427"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011020"
},
{
"db": "NVD",
"id": "CVE-2025-8643"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26266. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8643"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011020"
},
{
"db": "ZDI",
"id": "ZDI-25-791"
},
{
"db": "CNVD",
"id": "CNVD-2025-20427"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8643",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-791",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011020",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26266",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20427",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-791"
},
{
"db": "CNVD",
"id": "CNVD-2025-20427"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011020"
},
{
"db": "NVD",
"id": "CVE-2025-8643"
}
]
},
"id": "VAR-202508-0142",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20427"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20427"
}
]
},
"last_update_date": "2025-09-08T23:03:42.555000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011020"
},
{
"db": "NVD",
"id": "CVE-2025-8643"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-791/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8643"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20427"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011020"
},
{
"db": "NVD",
"id": "CVE-2025-8643"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-791"
},
{
"db": "CNVD",
"id": "CNVD-2025-20427"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011020"
},
{
"db": "NVD",
"id": "CVE-2025-8643"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-791"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20427"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011020"
},
{
"date": "2025-08-06T02:15:52.640000",
"db": "NVD",
"id": "CVE-2025-8643"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-791"
},
{
"date": "2025-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20427"
},
{
"date": "2025-08-08T07:05:00",
"db": "JVNDB",
"id": "JVNDB-2025-011020"
},
{
"date": "2025-08-07T16:52:03.850000",
"db": "NVD",
"id": "CVE-2025-8643"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011020"
}
],
"trust": 0.8
}
}
VAR-202508-0112
Vulnerability from variot - Updated: 2025-09-07 23:23Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26261. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0112",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-786"
},
{
"db": "CNVD",
"id": "CNVD-2025-20293"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011022"
},
{
"db": "NVD",
"id": "CVE-2025-8638"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-786"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8638",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20293",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8638",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011022",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8638",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8638",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011022",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8638",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20293",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-786"
},
{
"db": "CNVD",
"id": "CNVD-2025-20293"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011022"
},
{
"db": "NVD",
"id": "CVE-2025-8638"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26261. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8638"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011022"
},
{
"db": "ZDI",
"id": "ZDI-25-786"
},
{
"db": "CNVD",
"id": "CNVD-2025-20293"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8638",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-786",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011022",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26261",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20293",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-786"
},
{
"db": "CNVD",
"id": "CNVD-2025-20293"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011022"
},
{
"db": "NVD",
"id": "CVE-2025-8638"
}
]
},
"id": "VAR-202508-0112",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20293"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20293"
}
]
},
"last_update_date": "2025-09-07T23:23:53.264000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011022"
},
{
"db": "NVD",
"id": "CVE-2025-8638"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-786/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8638"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20293"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011022"
},
{
"db": "NVD",
"id": "CVE-2025-8638"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-786"
},
{
"db": "CNVD",
"id": "CNVD-2025-20293"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011022"
},
{
"db": "NVD",
"id": "CVE-2025-8638"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-786"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20293"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011022"
},
{
"date": "2025-08-06T02:15:51.900000",
"db": "NVD",
"id": "CVE-2025-8638"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-786"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20293"
},
{
"date": "2025-08-08T07:05:00",
"db": "JVNDB",
"id": "JVNDB-2025-011022"
},
{
"date": "2025-08-07T16:54:23.547000",
"db": "NVD",
"id": "CVE-2025-8638"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011022"
}
],
"trust": 0.8
}
}
VAR-202508-0130
Vulnerability from variot - Updated: 2025-09-07 23:20Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26256. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0130",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-781"
},
{
"db": "CNVD",
"id": "CNVD-2025-20294"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011016"
},
{
"db": "NVD",
"id": "CVE-2025-8633"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-781"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8633",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20294",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8633",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011016",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8633",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8633",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011016",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8633",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20294",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-781"
},
{
"db": "CNVD",
"id": "CNVD-2025-20294"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011016"
},
{
"db": "NVD",
"id": "CVE-2025-8633"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26256. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8633"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011016"
},
{
"db": "ZDI",
"id": "ZDI-25-781"
},
{
"db": "CNVD",
"id": "CNVD-2025-20294"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8633",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-781",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011016",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26256",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20294",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-781"
},
{
"db": "CNVD",
"id": "CNVD-2025-20294"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011016"
},
{
"db": "NVD",
"id": "CVE-2025-8633"
}
]
},
"id": "VAR-202508-0130",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20294"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20294"
}
]
},
"last_update_date": "2025-09-07T23:20:04.317000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011016"
},
{
"db": "NVD",
"id": "CVE-2025-8633"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-781/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8633"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20294"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011016"
},
{
"db": "NVD",
"id": "CVE-2025-8633"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-781"
},
{
"db": "CNVD",
"id": "CNVD-2025-20294"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011016"
},
{
"db": "NVD",
"id": "CVE-2025-8633"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-781"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20294"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011016"
},
{
"date": "2025-08-06T02:15:51.170000",
"db": "NVD",
"id": "CVE-2025-8633"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-781"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20294"
},
{
"date": "2025-08-08T06:56:00",
"db": "JVNDB",
"id": "JVNDB-2025-011016"
},
{
"date": "2025-08-07T17:00:19.020000",
"db": "NVD",
"id": "CVE-2025-8633"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011016"
}
],
"trust": 0.8
}
}
VAR-202508-0171
Vulnerability from variot - Updated: 2025-09-07 23:18Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the JKWifiService. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26311. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0171",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0509.3100"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-800"
},
{
"db": "CNVD",
"id": "CNVD-2025-20297"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011019"
},
{
"db": "NVD",
"id": "CVE-2025-8652"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "PHP Hooligans",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-800"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8652",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20297",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8652",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011019",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8652",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8652",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011019",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8652",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20297",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-800"
},
{
"db": "CNVD",
"id": "CNVD-2025-20297"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011019"
},
{
"db": "NVD",
"id": "CVE-2025-8652"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the JKWifiService. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26311. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8652"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011019"
},
{
"db": "ZDI",
"id": "ZDI-25-800"
},
{
"db": "CNVD",
"id": "CNVD-2025-20297"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8652",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-800",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011019",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26311",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20297",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-800"
},
{
"db": "CNVD",
"id": "CNVD-2025-20297"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011019"
},
{
"db": "NVD",
"id": "CVE-2025-8652"
}
]
},
"id": "VAR-202508-0171",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20297"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20297"
}
]
},
"last_update_date": "2025-09-07T23:18:20.403000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011019"
},
{
"db": "NVD",
"id": "CVE-2025-8652"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-800/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8652"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20297"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011019"
},
{
"db": "NVD",
"id": "CVE-2025-8652"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-800"
},
{
"db": "CNVD",
"id": "CNVD-2025-20297"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011019"
},
{
"db": "NVD",
"id": "CVE-2025-8652"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-800"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20297"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011019"
},
{
"date": "2025-08-06T02:15:53.940000",
"db": "NVD",
"id": "CVE-2025-8652"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-800"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20297"
},
{
"date": "2025-08-08T07:05:00",
"db": "JVNDB",
"id": "JVNDB-2025-011019"
},
{
"date": "2025-08-07T16:50:23.513000",
"db": "NVD",
"id": "CVE-2025-8652"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011019"
}
],
"trust": 0.8
}
}
VAR-202508-0104
Vulnerability from variot - Updated: 2025-09-07 23:15Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26268. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0104",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-793"
},
{
"db": "CNVD",
"id": "CNVD-2025-20289"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011101"
},
{
"db": "NVD",
"id": "CVE-2025-8645"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-793"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8645",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20289",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8645",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011101",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8645",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8645",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011101",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8645",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20289",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-793"
},
{
"db": "CNVD",
"id": "CNVD-2025-20289"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011101"
},
{
"db": "NVD",
"id": "CVE-2025-8645"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26268. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8645"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011101"
},
{
"db": "ZDI",
"id": "ZDI-25-793"
},
{
"db": "CNVD",
"id": "CNVD-2025-20289"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8645",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-793",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011101",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26268",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20289",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-793"
},
{
"db": "CNVD",
"id": "CNVD-2025-20289"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011101"
},
{
"db": "NVD",
"id": "CVE-2025-8645"
}
]
},
"id": "VAR-202508-0104",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20289"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20289"
}
]
},
"last_update_date": "2025-09-07T23:15:05.410000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011101"
},
{
"db": "NVD",
"id": "CVE-2025-8645"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-793/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8645"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20289"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011101"
},
{
"db": "NVD",
"id": "CVE-2025-8645"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-793"
},
{
"db": "CNVD",
"id": "CNVD-2025-20289"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011101"
},
{
"db": "NVD",
"id": "CVE-2025-8645"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-793"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20289"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011101"
},
{
"date": "2025-08-06T02:15:52.930000",
"db": "NVD",
"id": "CVE-2025-8645"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-793"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20289"
},
{
"date": "2025-08-08T09:04:00",
"db": "JVNDB",
"id": "JVNDB-2025-011101"
},
{
"date": "2025-08-07T16:51:41.697000",
"db": "NVD",
"id": "CVE-2025-8645"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011101"
}
],
"trust": 0.8
}
}
VAR-202508-0122
Vulnerability from variot - Updated: 2025-09-07 23:14Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26267. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0122",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-792"
},
{
"db": "CNVD",
"id": "CNVD-2025-20300"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011083"
},
{
"db": "NVD",
"id": "CVE-2025-8644"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-792"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8644",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20300",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8644",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011083",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8644",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8644",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011083",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8644",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20300",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-792"
},
{
"db": "CNVD",
"id": "CNVD-2025-20300"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011083"
},
{
"db": "NVD",
"id": "CVE-2025-8644"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26267. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8644"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011083"
},
{
"db": "ZDI",
"id": "ZDI-25-792"
},
{
"db": "CNVD",
"id": "CNVD-2025-20300"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8644",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-792",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011083",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26267",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20300",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-792"
},
{
"db": "CNVD",
"id": "CNVD-2025-20300"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011083"
},
{
"db": "NVD",
"id": "CVE-2025-8644"
}
]
},
"id": "VAR-202508-0122",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20300"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20300"
}
]
},
"last_update_date": "2025-09-07T23:14:38.674000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011083"
},
{
"db": "NVD",
"id": "CVE-2025-8644"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-792/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8644"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20300"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011083"
},
{
"db": "NVD",
"id": "CVE-2025-8644"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-792"
},
{
"db": "CNVD",
"id": "CNVD-2025-20300"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011083"
},
{
"db": "NVD",
"id": "CVE-2025-8644"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-792"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20300"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011083"
},
{
"date": "2025-08-06T02:15:52.783000",
"db": "NVD",
"id": "CVE-2025-8644"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-792"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20300"
},
{
"date": "2025-08-08T09:01:00",
"db": "JVNDB",
"id": "JVNDB-2025-011083"
},
{
"date": "2025-08-07T16:51:53.730000",
"db": "NVD",
"id": "CVE-2025-8644"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011083"
}
],
"trust": 0.8
}
}
VAR-202508-0105
Vulnerability from variot - Updated: 2025-09-07 23:14Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26255. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0105",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-780"
},
{
"db": "CNVD",
"id": "CNVD-2025-20299"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011089"
},
{
"db": "NVD",
"id": "CVE-2025-8632"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-780"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8632",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20299",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8632",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011089",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8632",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8632",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011089",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8632",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20299",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-780"
},
{
"db": "CNVD",
"id": "CNVD-2025-20299"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011089"
},
{
"db": "NVD",
"id": "CVE-2025-8632"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26255. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8632"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011089"
},
{
"db": "ZDI",
"id": "ZDI-25-780"
},
{
"db": "CNVD",
"id": "CNVD-2025-20299"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8632",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-780",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011089",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26255",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20299",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-780"
},
{
"db": "CNVD",
"id": "CNVD-2025-20299"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011089"
},
{
"db": "NVD",
"id": "CVE-2025-8632"
}
]
},
"id": "VAR-202508-0105",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20299"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20299"
}
]
},
"last_update_date": "2025-09-07T23:14:08.134000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011089"
},
{
"db": "NVD",
"id": "CVE-2025-8632"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-780/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8632"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20299"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011089"
},
{
"db": "NVD",
"id": "CVE-2025-8632"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-780"
},
{
"db": "CNVD",
"id": "CNVD-2025-20299"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011089"
},
{
"db": "NVD",
"id": "CVE-2025-8632"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-780"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20299"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011089"
},
{
"date": "2025-08-06T02:15:51.023000",
"db": "NVD",
"id": "CVE-2025-8632"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-780"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20299"
},
{
"date": "2025-08-08T09:01:00",
"db": "JVNDB",
"id": "JVNDB-2025-011089"
},
{
"date": "2025-08-07T17:00:29.240000",
"db": "NVD",
"id": "CVE-2025-8632"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011089"
}
],
"trust": 0.8
}
}
VAR-202508-0111
Vulnerability from variot - Updated: 2025-09-07 23:10Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26265. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0111",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0005.4600"
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0005.4600"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-790"
},
{
"db": "CNVD",
"id": "CNVD-2025-20302"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011084"
},
{
"db": "NVD",
"id": "CVE-2025-8642"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@ByteInsight",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-790"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8642",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2025-20302",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8642",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011084",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8642",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8642",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011084",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8642",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20302",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-790"
},
{
"db": "CNVD",
"id": "CNVD-2025-20302"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011084"
},
{
"db": "NVD",
"id": "CVE-2025-8642"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26265. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8642"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011084"
},
{
"db": "ZDI",
"id": "ZDI-25-790"
},
{
"db": "CNVD",
"id": "CNVD-2025-20302"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8642",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-790",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011084",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26265",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20302",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-790"
},
{
"db": "CNVD",
"id": "CNVD-2025-20302"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011084"
},
{
"db": "NVD",
"id": "CVE-2025-8642"
}
]
},
"id": "VAR-202508-0111",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20302"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20302"
}
]
},
"last_update_date": "2025-09-07T23:10:56.620000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011084"
},
{
"db": "NVD",
"id": "CVE-2025-8642"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-790/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8642"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20302"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011084"
},
{
"db": "NVD",
"id": "CVE-2025-8642"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-790"
},
{
"db": "CNVD",
"id": "CNVD-2025-20302"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011084"
},
{
"db": "NVD",
"id": "CVE-2025-8642"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-790"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20302"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011084"
},
{
"date": "2025-08-06T02:15:52.497000",
"db": "NVD",
"id": "CVE-2025-8642"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-790"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20302"
},
{
"date": "2025-08-08T09:01:00",
"db": "JVNDB",
"id": "JVNDB-2025-011084"
},
{
"date": "2025-08-07T16:52:13.383000",
"db": "NVD",
"id": "CVE-2025-8642"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011084"
}
],
"trust": 0.8
}
}
VAR-202508-0110
Vulnerability from variot - Updated: 2025-09-07 23:00Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the JKWifiService. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26305. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202508-0110",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dmx958xr",
"scope": "eq",
"trust": 1.0,
"vendor": "jvckenwood",
"version": "1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": "dmx958xr firmware 1.0.0509.3100"
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.8,
"vendor": "jvckenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": null,
"trust": 0.7,
"vendor": "kenwood",
"version": null
},
{
"model": "dmx958xr",
"scope": "eq",
"trust": 0.6,
"vendor": "kenwood",
"version": "1.0.0509.3100"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-797"
},
{
"db": "CNVD",
"id": "CNVD-2025-20291"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011097"
},
{
"db": "NVD",
"id": "CVE-2025-8649"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Elias Ikkela-Koski",
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-797"
}
],
"trust": 0.7
},
"cve": "CVE-2025-8649",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2025-20291",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8649",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2025-011097",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2025-8649",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2025-8649",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2025-011097",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2025-8649",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2025-20291",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-797"
},
{
"db": "CNVD",
"id": "CNVD-2025-20291"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011097"
},
{
"db": "NVD",
"id": "CVE-2025-8649"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the JKWifiService. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26305. JVCKENWOOD Corporation of DMX958XR The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Kenwood DMX958XR is an in-vehicle infotainment system from Kenwood",
"sources": [
{
"db": "NVD",
"id": "CVE-2025-8649"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011097"
},
{
"db": "ZDI",
"id": "ZDI-25-797"
},
{
"db": "CNVD",
"id": "CNVD-2025-20291"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2025-8649",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-25-797",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011097",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-26305",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-20291",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-25-797"
},
{
"db": "CNVD",
"id": "CNVD-2025-20291"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011097"
},
{
"db": "NVD",
"id": "CVE-2025-8649"
}
]
},
"id": "VAR-202508-0110",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20291"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20291"
}
]
},
"last_update_date": "2025-09-07T23:00:44.293000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "OS Command injection (CWE-78) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011097"
},
{
"db": "NVD",
"id": "CVE-2025-8649"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-25-797/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-8649"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-20291"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011097"
},
{
"db": "NVD",
"id": "CVE-2025-8649"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-25-797"
},
{
"db": "CNVD",
"id": "CNVD-2025-20291"
},
{
"db": "JVNDB",
"id": "JVNDB-2025-011097"
},
{
"db": "NVD",
"id": "CVE-2025-8649"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-797"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20291"
},
{
"date": "2025-08-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2025-011097"
},
{
"date": "2025-08-06T02:15:53.503000",
"db": "NVD",
"id": "CVE-2025-8649"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-08-05T00:00:00",
"db": "ZDI",
"id": "ZDI-25-797"
},
{
"date": "2025-09-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-20291"
},
{
"date": "2025-08-08T09:03:00",
"db": "JVNDB",
"id": "JVNDB-2025-011097"
},
{
"date": "2025-08-07T16:51:05.763000",
"db": "NVD",
"id": "CVE-2025-8649"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "JVCKENWOOD\u00a0Corporation\u00a0 of \u00a0DMX958XR\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2025-011097"
}
],
"trust": 0.8
}
}