Two popular electric two-wheelers — the Zero Motorcycles electric bike and the Yadea T5 scooter — have been found to contain security vulnerabilities that could give attackers physical control over the vehicles, according to separate advisories recently published by the Cybersecurity and Infrastructure Security Agency (CISA). SecurityWeek spoke directly with the researchers who uncovered both flaws to better understand the real-world implications.
Zero Motorcycles: Bluetooth Flaw Could Allow Malicious Firmware Upload
Researchers at Bureau Veritas Cybersecurity discovered a vulnerability in electric motorcycles made by US-based Zero Motorcycles. The flaw, tracked as CVE-2026-1354, affects firmware version 44 and all earlier releases. CISA classified the issue as medium severity owing to the high complexity required to carry out an attack, but experts warn that a determined, well-resourced threat actor could realistically exploit it.
The vulnerability centers on the motorcycle's Bluetooth pairing process. According to Dinesh Shetty, director of security engineering at Bureau Veritas, the bike enters an open pairing mode whenever a user holds the Mode button for approximately five seconds, or whenever the motorcycle has never been paired with a device before. During that window, the key exchange process does not verify the identity of the connecting party.
"An attacker standing within Bluetooth range could jump in and pair their own device to the bike, and the motorcycle would accept it as a legitimate connection. Once you're paired, you look like a trusted device, and you can use the firmware update channel to push a modified firmware image to the motorcycle."
Safety-Critical Systems at Risk
The consequences of a successful exploit extend well beyond a nuisance. Shetty explained that the motorcycle's main microcontroller governs a range of safety-critical functions, including:
- Torque output
- Regenerative braking
- Contactors that deliver power to the motor
- Battery management and thermal safeguards
A malicious firmware image loaded onto the controller could alter throttle response, interfere with braking behavior, or manipulate battery thermal protections — scenarios with potentially lethal consequences at highway speeds. Shetty also noted that the board includes a cellular modem used for GPS and telemetry, which could theoretically be repurposed for remote command-and-control access.
"We're not talking about someone changing the color of your dashboard; this is firmware that governs the physical behavior of the vehicle."
Mitigation Advice and Vendor Response
CISA has stated that Zero Motorcycles plans to release a firmware update in May. In the meantime, the agency advises users to pair their motorcycle with their phone only in a controlled, private location where no unauthorized party could attempt a simultaneous pairing. Zero Motorcycles did not respond to SecurityWeek's request for comment.
Bureau Veritas Cybersecurity conducts ongoing security research across a broad range of product categories, including open source frameworks, healthcare and financial protocols, password managers, and proprietary systems such as scoreboards.
Yadea T5 Scooter: Weak Authentication Enables Vehicle Theft
A separate CISA advisory addresses a high-severity vulnerability in the Yadea T5 scooter, manufactured by Chinese company Yadea. The flaw is tracked as CVE-2025-70994 and was discovered by researcher Ashen Chathuranga.
The vulnerability involves weak authentication in the scooter's key fob communication protocol. An attacker positioned near the target vehicle can intercept a non-sensitive command transmitted by the legitimate owner — for example, a lock command. Using data captured from that benign transmission, the attacker can mathematically synthesize entirely different commands, including unlock and start commands, effectively enabling scooter theft without physical access to the key fob.
Instant Exploitation, No Patch Available
Unlike the Zero Motorcycles vulnerability, which demands sustained physical proximity and technical sophistication, the Yadea attack can be executed almost immediately. Chathuranga told SecurityWeek that after capturing a single command from the victim, an attacker can instantly issue a synthesized replay attack — no extended monitoring or complex setup required.
As of publication, Yadea has not released a patch to address CVE-2025-70994. CISA and the researchers confirm the vendor remains unresponsive, and Yadea did not reply to SecurityWeek's request for comment.
Broader Implications for Connected Vehicle Security
Both vulnerabilities highlight a growing concern in the connected vehicle space: as electric two-wheelers incorporate Bluetooth, cellular, and RF-based communication systems, their attack surfaces expand significantly. The risks are no longer confined to data privacy or theft — they extend to physical safety, with potential for life-threatening consequences if firmware integrity or vehicle access controls are compromised.
Riders of affected Zero Motorcycles products should follow CISA's interim guidance and watch for the forthcoming May firmware update. Owners of Yadea T5 scooters have no vendor-supplied mitigation available at this time and should remain alert to the possibility of relay or replay attacks in proximity to their vehicles.
Source: SecurityWeek