CVE-2025-11690HIGH 8.5EPSS p3.9%

CVE-2025-11690CVE-2025-11690

Description

An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users’ vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. The fix for this vulnerability is a server-side authorization fix.

Scoring

CVSS 3.18.5 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS0.14% probability of exploitation · percentile 3.9% · 2026-06-18T12:00:27Z
Published2025-11-04
Last modified2026-04-15

Underlying weaknesses· 1

CWE-639

References

  1. https://advisories.ncsc.nl/2025/ncsc-2025-0350.html
  2. https://medium.com/@ilnur.khakimov_86612/how-i-hacked-100-000-motorcycles-including-my-own-666bdb702b7d

1

TypeTargetConfidenceTier
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-55705
CVE
CVE-2026-26290
CVE
CVE-2025-45968
CVE
CVE-2026-20748
CVE
CVE-2025-30023
CVE
CVE-2026-27647
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.