HOMEVULNERABILITIESCVE-2025-70994
HIGH

CVE-2025-70994

CWE-1390Published: April 23, 2026· Updated: Apr 24, 2026

7.3
CVSS v3.1
EPSS:0.03%probability of exploitation in 30 daysPercentile:8.8th

Official Description

Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.

NVD Source

Technical Analysis

CVE-2025-70994 requires adjacent network access, limiting remote exploitation but still posing risk in shared or local network environments.

Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.

A successful exploit results in full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.3.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorAdjacent
Attack ComplexityLow
Privileges Req.None
User InteractionRequired
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2025-70994

Yadea T5 Electric Bicycle
CISA Alerts· Apr 23, 2026

View CSAF Summary Successful exploitation of this vulnerability could result in an attacker being able to unlock and start the bicycle, leading to vehicle theft. The following versions of Yadea T5 Electric Bicycle are affected: T5 Electric Bicycle vers:all/* (CVE-2025-70994) CVSS Vendor Equipment Vulnerabilities v3 7.3 Yadea Yadea T5 Electric Bicycle Weak Authentication Background Critical Infrastructure Sectors: Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: China Vulnerabilities Expand All + CVE-2025-70994 Yadea T5 Electric Bicycles have a weak authentication mechanism which is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmissions. View CVE Details Affected Pro [xlite_meta score:73 src:CISA Alerts xlite_fp:693b75a2670178693f5f07d495f4107dd04ca8436658c235e72baa4161d01b3d]

All References (3)

Quick Facts

CVE IDCVE-2025-70994
CVSS Score7.3 / 10
SeverityHIGH
WeaknessCWE-1390
CISA KEVNo
EPSS (30d)0.03%
PublishedApr 23, 2026

Known Threat Actors

core
financial

Related CVEs (CWE-1390)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2025-70994 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.