Security researchers have revealed serious vulnerabilities in the Nissan Leaf that could let hackers remotely spy on drivers and take over core car functions — even while the vehicle is moving.
The findings, shared last week at Black Hat Asia 2025, were presented by PCAutomotive, a cybersecurity firm that specializes in penetration testing and threat intelligence for automotive and financial services. Their investigation targeted a 2020 second-generation Nissan Leaf, uncovering a series of security gaps that could be exploited via Bluetooth.
Bluetooth Entry Leads to Full Remote Control
By tapping into the car’s infotainment system through its Bluetooth connection, PCAutomotive’s team was able to break into the internal network of the vehicle. From there, they escalated privileges and set up a command-and-control (C&C) channel via cellular networks — giving them covert, persistent access to the EV over the internet.
This backdoor access allowed them to carry out alarming intrusions, including:
- Tracking the car’s live location
- Recording in-vehicle conversations
- Taking screenshots of the infotainment system
- Remotely activating physical functions like doors, wipers, horn, mirrors, windows, and lights
- Gaining partial control of the steering wheel — even while the car was driving
These capabilities paint a troubling picture of what’s possible if such flaws were exploited by malicious actors.
Vulnerabilities Identified and Confirmed
The flaws have been assigned eight CVE identifiers, ranging from CVE-2025-32056 to CVE-2025-32063. According to the researchers, they reported the vulnerabilities to Nissan in August 2023. The carmaker confirmed the issues in January 2024, but CVE assignment only happened recently.
While PCAutomotive declined to share full technical details publicly, they released a demonstration video showing how their remote exploits worked in real time.
Nissan Responds to Security Concerns
In a statement, a Nissan spokesperson acknowledged the findings but withheld specific technical responses “for security reasons.” The company emphasized its continued efforts to improve protection against evolving cyber threats:
“PCAutomotive contacted Nissan regarding its research. While we decline to disclose specific countermeasures or details for security reasons, for the safety and peace of mind of our customers we will continue to develop and roll out technologies to combat increasingly sophisticated cyberattacks.”
Cybersecurity in Cars: A Growing Threat
This case isn’t an isolated incident. Modern cars are increasingly internet-connected and packed with smart features — which also makes them a growing target for cybercriminals. At the Pwn2Own Automotive hacking competition held earlier this year, researchers earned $886,000 in rewards for exposing vulnerabilities in EV chargers and infotainment systems alone.
As vehicles become more software-driven, industry experts warn that automotive cybersecurity must evolve quickly. From theft and stalking to remote sabotage, the risks are no longer hypothetical.
