## Vulnerability Discovered in Yadea T5 Electric Bicycles Security researchers have identified a critical vulnerability in **Yadea** T5 Electric Bicycles that could allow malicious actors to steal the vehicles. The flaw, **CVE-2025-70994**, stems from a weak authentication mechanism that makes the bicycles susceptible to signal forgery. ### Technical Details The vulnerability lies in the bicycle's key fob authentication process. A local attacker who intercepts legitimate key fob transmissions can forge signals to unlock and start the bicycle. According to the **Cybersecurity and Infrastructure Security Agency (CISA)**, successful exploitation of this vulnerability could directly result in vehicle theft. The affected product is: * Yadea T5 Electric Bicycle: versions all/*  ### CVSS Score and Affected Products The vulnerability has a CVSS v3 score of 7.3, indicating a high severity. The following table summarizes the key details: | CVSS | Vendor | Equipment | Vulnerabilities | | :---- | :----- | :------------------------- | :-------------------- | | v3 7.3 | Yadea | Yadea T5 Electric Bicycle | Weak Authentication | The Common Weakness Enumeration (CWE) associated with this vulnerability is CWE-1390, which specifically addresses weak authentication. ### Impact * **Critical Infrastructure Sectors:** Transportation Systems * **Countries/Areas Deployed:** Worldwide * **Company Headquarters Location:** China ### Mitigation and Recommendations While no specific patch or firmware update has been released by **Yadea** at the time of this writing, **CISA** recommends that organizations implement recommended cybersecurity strategies for proactive defense. These include: * Implementing defense-in-depth strategies. * Monitoring for suspicious network activity. * Following established internal procedures and reporting findings to **CISA** for tracking and correlation against other incidents. **CISA** provides further guidance and recommended practices on their ICS webpage. ### Acknowledgments Ashen Chathuranga reported this vulnerability to **MITRE** and **CISA**. ### References * [CISA ICS webpage](https://www.cisa.gov/ics) * [CVE-2025-70994](https://www.cve.org/CVERecord?id=CVE-2025-70994) * [CWE-1390](https://cwe.mitre.org/data/definitions/1390.html)