CVE-2025-70994 Raw CVE debrief

Who should care

Owners, operators, fleet managers, and service personnel responsible for Yadea T5 Electric Bicycles; also anyone securing parked units in public or semi-public locations.

Technical summary

The source advisory describes weak authentication in the Yadea T5 key-fob mechanism. The attack scenario requires local interception of a legitimate key fob transmission, followed by signal forgery to bypass authentication. The supplied CVSS v3.1 vector is AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H, indicating adjacent access, low complexity, no privileges, user interaction, and high integrity/availability impact.

Defensive priority

High

Recommended defensive actions

• Follow the CISA advisory for CVE-2025-70994 and monitor the official CVE/CISA references for updates.
• Keep affected systems up to date using vendor guidance where available.
• Use strong external physical locks and layered property security for parked bicycles.
• Reduce opportunities for local interception of key fob transmissions by limiting exposure in public areas.
• Contact Yadea through the vendor contact page for current support or remediation guidance.

Evidence notes

Primary evidence is CISA CSAF advisory ICSA-26-113-01, published 2026-04-23, which states: Yadea T5 Electric Bicycles have a weak authentication mechanism vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmissions. The same source notes that Yadea did not respond to CISA's coordination attempts and recommends keeping systems up to date and securing property with external mechanisms. The source corpus does not provide a KEV entry or ransomware-campaign association.

Official resources