Electric motorcycles from Zero Motorcycles and electric scooters from Yadea are affected by vulnerabilities that, if exploited, could have a physical security and safety impact.
CISA recently published separate advisories for these vulnerabilities, and SecurityWeek has reached out to the researchers who reported the flaws to find out more about their potential real-world impact.
Zero Motorcycles vulnerability
Researchers at Bureau Veritas Cybersecurity discovered that electric motorcycles from US-based Zero Motorcycles are affected by a vulnerability that could allow an attacker to connect to a vehicle over Bluetooth. The security hole, tracked as CVE-2026-1354, affects firmware version 44 and earlier.
According to CISA, which classified the vulnerability as ‘medium severity’ due to the attack’s high complexity, an attacker could gain unauthorized access to all Bluetooth functions and even upload malicious firmware to the bike.
Dinesh Shetty, director of security engineering at Bureau Veritas, told SecurityWeek that while conducting an attack may not be easy, a motivated and well-resourced attacker could pull it off. The expert pointed out that the attacker needs to be physically close to the targeted motorcycle, understand the pairing flow, and remain in proximity until the malicious firmware upload is completed.
Shetty explained,
“Zero motorcycles have a Bluetooth pairing mode that activates when you hold the Mode button for about five seconds, or if the bike has simply never been paired before. During that window, the key exchange doesn’t actually verify who is connecting. An attacker standing within Bluetooth range could jump in and pair their own device to the bike, and the motorcycle would accept it as a legitimate connection. Once you’re paired, you look like a trusted device, and you can use the firmware update channel to push a modified firmware image to the motorcycle.”
Once the attacker uploads malicious firmware, they can perform actions that could pose a serious safety risk.
“The motorcycle’s main microcontroller controls safety-critical features which includes the torque output, regenerative braking, the contactors that deliver power to the motor, and battery management. If you can get your own firmware on there, you can mess with any of that. For a real world impact, you can think about what that means on a vehicle doing highway speeds. You could alter how the throttle responds, interfere with braking behavior, or even manipulate battery thermal safeguards. The board also has access to a cellular modem for GPS and telemetry, which in theory could be repurposed for remote command-and-control. We’re not talking about someone changing the color of your dashboard; this is firmware that governs the physical behavior of the vehicle.”
CISA said the vendor plans on releasing a firmware patch in May and in the meantime it has advised users to pair their motorcycle to their phone in a safe location where no one else can attempt pairing at the same time.
Bureau Veritas Cybersecurity says it regularly conducts in-depth research of various types of products, including open source frameworks, healthcare and financial protocols, password managers, and even proprietary systems like scoreboards.
Zero Motorcycles has not responded to SecurityWeek’s request for comment.
Yadea T5 scooter vulnerability
CISA recently published a separate advisory for another potentially serious vulnerability affecting a powered two-wheeler, the T5 scooter made by Chinese company Yadea.
The security hole, tracked as CVE-2025-70994 and rated ‘high severity’, is a weak authentication issue that can allow an attacker to intercept legitimate key fob transmissions.
According to an advisory from Ashen Chathuranga, the researcher who found the vulnerability, an attacker in proximity of the targeted scooter can intercept a non-sensitive command — for instance, a lock command — issued by the owner.
Using data from the victim’s command, the attacker can “mathematically synthesize” a different command, including unlock and start commands, which enables the attacker to steal the electric scooter.
Conducting an attack does not take long. Chathuranga told SecurityWeek that an attacker can instantly issue a new command and conduct a replay attack after capturing a command from the victim.
CISA and the researcher say Yadea has yet to release a patch. The vendor has not responded to SecurityWeek’s request for comment.
Related: Free Wi-Fi Leaves Buses Vulnerable to Remote Hacking
Related: Researchers Uncover Method to Track Cars via Tire Sensors
Related: Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking
