PatchSiren cyber security CVE debrief
CVE-2025-61081 BYD CVE debrief
CVE-2025-61081 describes a brute-force authentication weakness in BYD Atto3. According to the source record, an attacker can obtain a permanently available authentication key and use it to flash Electronic Parking Brake (EPB) and Supplemental Restraint System (SRS) related ECUs. NVD assigns the issue CVSS 3.1 7.5 HIGH and maps it to CWE-307; the NVD record is marked Deferred, so defenders should treat this as a high-priority access-control and vehicle-service security concern while verifying vendor guidance.
- Vendor
- BYD
- Product
- Atto3
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
BYD Atto3 owners and operators, automotive service centers, fleet managers, ECU flashing/tool vendors, and incident responders handling vehicle diagnostics or programming workflows.
Technical summary
The supplied description says the weakness allows brute-force recovery of an authentication key that is permanently available. With that key, an attacker may flash ECUs related to EPB and SRS functions. The structured NVD metadata lists CVSS:3.1 AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H and CWE-307, indicating a physical-access attack path with meaningful integrity and availability impact.
Defensive priority
High for any environment that services, maintains, or secures affected vehicles or diagnostic tooling. Prioritize access control around physical vehicles, service interfaces, and programming workflows, and verify manufacturer remediation status as soon as possible.
Recommended defensive actions
- Confirm whether your BYD Atto3 fleet, workshop, or tooling uses any affected ECU flashing or diagnostic process.
- Restrict physical access to vehicles, service bays, and programming equipment; treat diagnostic access as privileged.
- Review and log all ECU programming, key issuance, and service actions for unusual or unauthorized activity.
- Monitor for unexpected flashing attempts or configuration changes affecting EPB, SRS, or related control units.
- Seek and apply official vendor remediation guidance or service instructions as soon as they are available.
- If you manage repairs or fleet servicing, ensure technicians use authenticated, auditable workflows rather than shared or permanent credentials.
Evidence notes
The source corpus ties the issue to BYD Atto3 in the description, but the structured vendor field is low-confidence/unknown and should be verified against official vendor advisories. Timeline context from the supplied record shows publishedAt and modifiedAt both on 2026-05-19. NVD metadata in the source item lists vulnStatus Deferred, CVSS vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H, and weakness CWE-307. The source references are Notion pages titled BYD-Atto3 and CVE-2025-61081.
Official resources
Publicly disclosed in the supplied CVE record on 2026-05-19. No KEV entry, KEV due date, or ransomware-campaign linkage is present in the provided corpus. NVD status is Deferred in the structured source metadata.