{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-70994", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-23T15:10:43.811Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-04-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-23T14:03:07.064Z"}, "descriptions": [{"lang": "en", "value": "Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/ktauchathuranga/ghost-keys"}, {"url": "https://github.com/ktauchathuranga/CVE-2025-70994"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1390", "lang": "en", "description": "CWE-1390 Weak Authentication"}]}], "references": [{"url": "https://github.com/ktauchathuranga/CVE-2025-70994", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T15:09:43.949647Z", "id": "CVE-2025-70994", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T15:10:43.811Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-70994", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T15:09:43.949647Z"}}}], "references": [{"url": "https://github.com/ktauchathuranga/CVE-2025-70994", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1390", "description": "CWE-1390 Weak Authentication"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T15:01:03.820Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/ktauchathuranga/ghost-keys"}, {"url": "https://github.com/ktauchathuranga/CVE-2025-70994"}], "descriptions": [{"lang": "en", "value": "Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-23T14:03:07.064Z"}}}, "cveMetadata": {"cveId": "CVE-2025-70994", "state": "PUBLISHED", "dateUpdated": "2026-04-23T15:10:43.811Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-23T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack."}], "id": "CVE-2025-70994", "lastModified": "2026-04-24T14:50:56.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-23T15:36:26.687", "references": [{"source": "cve@mitre.org", "url": "https://github.com/ktauchathuranga/CVE-2025-70994"}, {"source": "cve@mitre.org", "url": "https://github.com/ktauchathuranga/ghost-keys"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/ktauchathuranga/CVE-2025-70994"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1390"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "t5_electric_bicycles", "vendor": "yadea"}], "analysis": {"en": {"generated_at": "2026-04-28T15:06:26.418446+00:00", "value": {"mitigation_remediation": ["Verify the bike\u2019s firmware version against manufacturer release notes and apply any available patch that introduces rolling codes or cryptographic challenge\u2011response authentication.", "If no firmware update is available, disable the keyless entry function by using a physical lock or covering the key fob receiver to prevent RF reception.", "Limit exposure to RF signals by storing the bicycle in a Faraday\u2011shielded environment or a covered area to reduce the chance of signal interception.", "Contact Yadea support for guidance on interim mitigations and to stay informed about forthcoming firmware fixes."], "summary": {"action": "Apply Vendor Fix", "impact": "Unauthorized vehicle operation via replay attack"}, "threat_synthesis": {"affected_systems": "Yadea T5 Electric Bicycles (models manufactured in or after 2024).", "description_and_impact": "The Yadea T5 Electric Bicycle models manufactured in or after 2024 expose a weak authentication mechanism in their keyless entry system. The system relies on the EV1527 fixed-code RF protocol and lacks both rolling codes and cryptographic challenge-response. This design flaw allows a local attacker who intercepts a legitimate key fob transmission to forge the signal and replay it, resulting in complete unauthorized vehicle operation. The compromised security property is the integrity of the access control system, as highlighted by CWE\u20111390.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.3, indicating a high severity. The EPSS score of less than 1% suggests that the practical likelihood of exploitation is currently very low, and the flaw is not listed in the CISA KEV catalog. However, the attack vector requires a local presence to intercept the key fob signal, after which the attacker can replay the captured RF transmission to gain unauthorized control of the bicycle. If an adversary can be near the vehicle, they could potentially operate it without authorization, posing a threat to owner safety and property."}}}}, "created": "2026-04-28T09:26:42.059305+00:00", "title": "Vulnerable Keyless Entry RF Protocol Enables Replay Attack on Yadea T5 Electric Bicycles", "updated": "2026-04-28T15:15:34.202478+00:00", "vendors": ["yadea", "yadea$PRODUCT$t5_electric_bicycles"]}