Researchers have demonstrated that a series of vulnerabilities affecting the Nissan Leaf electric vehicle can be exploited to remotely hack the car, including for spying and the physical takeover of various functions.
The research was conducted by PCAutomotive, a company that offers penetration testing and threat intelligence services for the automotive and financial services industries. The Nissan Leaf hacking was detailed last week at Black Hat Asia 2025.
PCAutomotive researchers targeted a second generation Nissan Leaf made in 2020. The vulnerabilities they found enabled them to use the infotainment system’s Bluetooth capabilities to infiltrate the car’s internal network.
They were then able to escalate privileges and establish a C&C channel over cellular communications to maintain stealthy and persistent access to the EV directly over the internet.
The researchers showed that an attacker could exploit the vulnerabilities to spy on the owner by tracking the car’s location, taking screenshots of the infotainment system, and recording people talking in the vehicle.
They were also able to remotely take control of various physical functions, including doors, wipers, the horn, mirrors, windows, lights, and even the steering wheel, including while the car was in motion.
The vulnerabilities have been assigned eight CVE identifiers: CVE-2025-32056 through CVE-2025-32063. The disclosure process started in August 2023 and Nissan confirmed the findings in January 2024, but it took until recently to get the CVEs assigned, according to the researchers.
Contacted by SecurityWeek, a Nissan spokesperson commented, “PCAutomotive contacted Nissan regarding its research. While we decline to disclose specific countermeasures or details for security reasons, for the safety and peace of mind of our customers we will continue to develop and roll out technologies to combat increasingly sophisticated cyberattacks.”
PCAutomotive has published a video showing how their exploits were used to remotely hack the Nissan Leaf.
Automotive exploits can have a significant monetary value. At the recent Pwn2Own Automotive hacking competition, participants earned a total of $886,000 for exploits targeting EV chargers and infotainment systems.
Related: Subaru Starlink Vulnerability Exposed Cars to Remote Hacking
Related: Is Your Car Spying on You? What It Means That Tesla Shared Data in the Las Vegas Explosion
Related: Unpatched Vulnerabilities Allow Hacking of Mazda Cars: ZDI
