In context: As cars continue to become more computerized and connected, the possibilities for hackers to exploit systems greatly increase. Modern vehicles rely heavily on software and wireless networks, creating new entry points for attackers. This exploit in the 2020 Nissan Leaf highlights the growing risks as cars evolve into complex, sometimes autonomous devices.
Security researchers at the Black Hat conference in Asia have disclosed an exploit in 2020 Nissan Leaf electric vehicles that hijacks the entire computer system. Thanks to a laundry list of vulnerabilities, hackers can remotely control vital systems – from steering and braking to wipers and mirrors. The exploit can also enable in-cabin audio recording and GPS tracking.
The hack requires some user interaction, but PCAutomotive notes that obtaining it isn't challenging. The attacker first jams signals on the 2.4 GHz spectrum, triggering an alert on the infotainment system that it can't connect to Bluetooth devices like a phone. This notice prompts the user to open connectivity settings, providing the hacker the opportunity to take over the system.
A list of tracked vulnerabilities that allow the complex RCE attack include:
- CVE-2025-32056 – Anti-Theft bypass
- CVE-2025-32057 – app_redbend: MitM attack
- CVE-2025-32058 – v850: Stack Overflow in CBR processing
- CVE-2025-32059 – Stack buffer overflow leading to RCE [0]
- CVE-2025-32060 – Absence of a kernel module signature verification
- CVE-2025-32061 – Stack buffer overflow leading to RCE [1]
- CVE-2025-32062 – Stack buffer overflow leading to RCE [2]
- PCA_NISSAN_009 – Improper traffic filtration between CAN buses
- CVE-2025-32063 – Persistence for Wi-Fi network
- PCA_NISSAN_012 – Persistence through CVE-2017-7932 in HAB of I.MX 6
The seriousness of this attack is relatively low for a few reasons. First, it is restricted to the 2020 Leaf, which significantly limits its footprint. Second, PCAutomotive responsibly reported the exploit to Nissan before disclosing it at Black Hat, allowing the manufacturer to update the Leaf's firmware. Finally, the utility of remotely controlling a car is virtually nonexistent.
Without cameras or a direct view of the vehicle, remote control has little practical use – aside from enabling someone to cause random harm. However, recording in-car conversations or tracking the car's location is much more valuable to an attacker. Private discussions can yield significant intelligence when combined with other data-gathering techniques, and the GPS can offer easy target areas for theft.
Regardless of the exploit's practical impact, owners who have not updated their car's firmware should do so as soon as possible.
Hackers show how they can fully control your 2020 Nissan Leaf remotely
