Researchers Uncover Remote Hacking Flaws in Nissan Leaf, Allowing Spying and Physical Control
Security researchers from PCAutomotive have demonstrated how a series of vulnerabilities in the Nissan Leaf electric vehicle could be exploited for remote hacking, enabling both surveillance and control over various car functions.
Their findings, presented at Black Hat Asia 2025, focused on a 2020 model of the second-generation Nissan Leaf. By exploiting Bluetooth functions within the infotainment system, the researchers gained access to the car’s internal network, escalated privileges, and established a command-and-control (C&C) channel over the cellular network for persistent, covert access.
Using these vulnerabilities, attackers could potentially track the vehicle’s location, capture screenshots of the infotainment display, and even eavesdrop on conversations inside the car. Additionally, they demonstrated the ability to manipulate physical functions remotely, such as operating the doors, windows, mirrors, lights, wipers, horn, and even controlling the steering wheel while the car was moving.
The vulnerabilities have been cataloged under CVE identifiers CVE-2025-32056 through CVE-2025-32063. Disclosure began in August 2023, with Nissan confirming the issues by January 2024. Assignment of CVEs was finalized only recently.
When contacted by SecurityWeek, a Nissan spokesperson stated that while the company would not share specific details for security reasons, it remains committed to advancing technologies to counter evolving cyber threats.
PCAutomotive also released a video demonstrating their successful exploitation of the vulnerabilities.
The discovery highlights the growing value of automotive exploits. At the recent Pwn2Own Automotive hacking competition, researchers earned a collective $886,000 for demonstrating vulnerabilities in EV chargers and infotainment systems.
