Cybersecurity firm Kaspersky has revealed a startling set of vulnerabilities in a vehicle manufacturer’s connected-car system after a recent audit presented at the Security Analyst Summit 2025. The firm found that by exploiting a zero-day SQL injection in a contractor’s exposed web app, attackers could gain access to the telematics infrastructure and potentially hijack critical vehicle functions – including shifting gears, disabling the engine or manipulating vehicle systems during driving, reports Telematics Wire.

The investigation found weak defence measures such as publicly accessible web services, weak password policies, no two-factor authentication, and inadequate segmentation of networks and infrastructure. Through these gaps, Kaspersky’s researchers accessed privileged systems, extracted hashed credentials, discovered misconfigured firewalls, and uncovered firmware-update commands that allowed intervention in the vehicle’s CAN bus (which links the engine, transmission and other major modules).

In response, Kaspersky is calling on the automotive industry, especially manufacturing and contract partners,to enforce strong password policies, enable two-factor authentication, isolate telematics platforms from vehicle networks, encrypt stored sensitive data and deploy logging/monitoring systems (SIEM) for real-time anomaly detection. This finding underscores how third-party systems and contractor access can become the weak link in vehicle cybersecurity, offering a pathway for attackers to gain deep control over connected vehicles and threaten both driver safety and brand trust.

(Pic: Yay Images)