PatchSiren cyber security CVE debrief
CVE-2026-1354 Raw CVE debrief
CVE-2026-1354 describes a Bluetooth pairing weakness in Zero Motorcycles firmware versions 44 and prior. If the motorcycle is in Bluetooth pairing mode and an attacker is nearby and able to complete the pairing process, the attacker can forcibly pair a device and then use over-the-air firmware update functionality to potentially upload malicious firmware. The advisory says the attacker's device must remain paired with, and in proximity to, the motorcycle for the full update process. CISA published the advisory on 2026-04-21 with a CVSS v3.1 score of 6.4 (MEDIUM).
- Vendor
- Raw
- Product
- Zero Motorcycles Zero Motorcycles firmware <=44
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-21
- Original CVE updated
- 2026-04-21
- Advisory published
- 2026-04-21
- Advisory updated
- 2026-04-21
Who should care
Zero Motorcycles owners, fleet operators, service teams, and any organization that pairs mobile devices to affected motorcycles or relies on OTA firmware updates should pay attention, especially where vehicles may be left unattended during pairing or servicing.
Technical summary
The advisory states that affected Zero Motorcycles firmware versions 44 and prior can be forced into pairing with a nearby attacker’s Bluetooth device when the motorcycle is already in pairing mode. After pairing, the attacker may abuse the OTA firmware update path to attempt malicious firmware upload. The documented prerequisites include proximity, the motorcycle being in pairing mode, and maintaining the paired connection and proximity throughout the update. The supplied CVSS vector is AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H, indicating no confidentiality impact but meaningful integrity and availability risk.
Defensive priority
Medium. The attack requires proximity and pairing-mode conditions, but the impact could include malicious firmware installation. Prioritize affected vehicles that are commonly serviced in public or semi-public locations, or that rely on routine Bluetooth pairing and OTA updates.
Recommended defensive actions
- Update Zero Motorcycles firmware to the latest available version as soon as the vendor release is available.
- Pair mobile devices only in a safe, controlled location where no one else can attempt pairing at the same time.
- Complete the full pairing process and verify that pairing succeeds before leaving the vehicle unattended.
- Do not leave the bike unattended with the physical key in the 'ON' position.
- Store physical keys securely and limit access during maintenance or pairing activities.
- Monitor vendor and CISA guidance for the planned firmware update scheduled for May 2026.
Evidence notes
All impact, prerequisite, and remediation statements are taken from the CISA CSAF advisory ICSA-26-111-06 published on 2026-04-21. The advisory’s CVSS v3.1 vector is AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H, which corresponds to a 6.4 MEDIUM severity. The advisory also includes an SSVCv2 line with E:N/A:N and a date of 2026-04-17T06:00:00Z. Timing in this debrief uses the advisory publication date supplied in the corpus, not generation time.
Official resources
-
CVE-2026-1354 CVE record
CVE.org
-
CVE-2026-1354 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in advisory ICSA-26-111-06 on 2026-04-21. The advisory states that Zero Motorcycles planned a firmware update for May 2026.