HOMEVULNERABILITIESCVE-2026-1354
MEDIUM

CVE-2026-1354

CWE-322Published: April 21, 2026· Updated: Apr 22, 2026

6.4
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.6th

Official Description

Zero Motorcycles firmware versions 44 and prior enable an attacker to

forcibly pair a device with the motorcycle via Bluetooth. Once paired,

an attacker can utilize over-the-air firmware updating functionality to

potentially upload malicious firmware to the motorcycle. The motorcycle

must first be in Bluetooth pairing mode, and the attacker must be in

proximity of the vehicle and understand the full pairing process, to be

able to pair their device with the vehicle. The attacker's device must

remain paired with and in proximity of the motorcycle for the entire

duration of the firmware update.

NVD Source

Technical Analysis

CVE-2026-1354 requires adjacent network access, limiting remote exploitation but still posing risk in shared or local network environments.

Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.

A successful exploit results in full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 6.4.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorAdjacent
Attack ComplexityHigh
Privileges Req.None
User InteractionRequired
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2026-1354

Zero Motorcycles Firmware
CISA Alerts· Apr 21, 2026

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to pair via Bluetooth with a motorcycle, gaining unauthorized access to all Bluetooth functions, including changing the firmware. The following versions of Zero Motorcycles Firmware are affected: Zero Motorcycles firmware <=44 (CVE-2026-1354) CVSS Vendor Equipment Vulnerabilities v3 6.4 Zero Motorcycles Zero Motorcycles Firmware Key Exchange without Entity Authentication Background Critical Infrastructure Sectors: Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-1354 Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motor [xlite_meta score:63 src:CISA Alerts xlite_fp:b6427a6d6d5e221df31af24147471d887eee2d672d4ab445540c1bb7e2618b5b]

All References (2)

Quick Facts

CVE IDCVE-2026-1354
CVSS Score6.4 / 10
SeverityMEDIUM
WeaknessCWE-322
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 21, 2026

Known Threat Actors

wa
financial
thor
financial
core
financial

Related CVEs (CWE-322)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-1354 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.