cbcvebase.
CVE-2024-45434
published 2025-09-12

CVE-2024-45434: OpenSynergy BlueSDK (aka Blue SDK) through 6.x has a Use-After-Free. The specific flaw exists within the BlueSDK Bluetooth stack. The issue results from the…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.93%
92.3th percentile
OpenSynergy BlueSDK (aka Blue SDK) through 6.x has a Use-After-Free. The specific flaw exists within the BlueSDK Bluetooth stack. The issue results from the lack of validating the existence of an object before performing operations on the object (aka use after free). An attacker can leverage this to achieve remote code execution in the context of a user account under which the Bluetooth process runs.

Affected

1 ranges
VendorProductVersion rangeFixed in
opensynergyblue_sdk<= 6.0.1

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2024-45434 is a use-after-free in the AVRCP (Audio/Video Remote Control Profile) service of the BlueSDK Bluetooth stack; target the AVRCP service handler for anomalous object lifecycle operations
  • PerfektBlue exploit chain (CVE-2024-45431 through CVE-2024-45434) can be delivered over-the-air and requires at most 1-click from a user (Bluetooth pairing approval); monitor for unexpected Bluetooth pairing requests combined with AVRCP service crashes or memory corruption indicators
  • Successful exploitation results in a reverse shell obtained over TCP/IP on the in-vehicle infotainment (IVI) system; monitor for unexpected outbound TCP shell sessions originating from IVI/infotainment processes
  • Post-exploitation activity includes privilege escalation and lateral movement to other vehicle components; monitor for anomalous inter-process or inter-ECU communication originating from the infotainment system after a Bluetooth pairing event
  • Affected platforms confirmed for PerfektBlue include Volkswagen ID.4 (ICAS3 system), Mercedes-Benz (NTG6), and Skoda Superb (MIB3); prioritize detection and patching on these specific infotainment head unit platforms
  • Some automakers configure infotainment systems to pair without user confirmation, enabling a fully remote (0-click) attack path; audit Bluetooth pairing configuration on BlueSDK-based devices for auto-accept pairing settings
  • ·Exploit requires attacker to be within Bluetooth range (5–7 meters) of the target vehicle; remote internet-based exploitation is not possible without physical proximity
  • ·For Volkswagen, exploitation additionally requires the ignition to be on, the infotainment system to be in active pairing mode, and the user to approve the pairing on-screen — reducing opportunistic attack surface significantly
  • ·Full technical exploitation details have not been publicly released; PCA Cyber Security plans to disclose complete technical details in November 2025 at a conference talk
  • ·OpenSynergy released patches to customers in September 2024, but many automakers had not yet pushed corrective firmware updates at time of disclosure; patch availability does not equal deployment
  • ·The vulnerability was found by analyzing a compiled binary without source code access, meaning the full attack surface of BlueSDK across all vendor customizations may not be fully characterized
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.