CVE-2026-1354
CWE-322Published: April 21, 2026· Updated: Apr 22, 2026
Official Description
Zero Motorcycles firmware versions 44 and prior enable an attacker to
forcibly pair a device with the motorcycle via Bluetooth. Once paired,
an attacker can utilize over-the-air firmware updating functionality to
potentially upload malicious firmware to the motorcycle. The motorcycle
must first be in Bluetooth pairing mode, and the attacker must be in
proximity of the vehicle and understand the full pairing process, to be
able to pair their device with the vehicle. The attacker's device must
remain paired with and in proximity of the motorcycle for the entire
duration of the firmware update.
Technical Analysis
CVE-2026-1354 requires adjacent network access, limiting remote exploitation but still posing risk in shared or local network environments.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
A successful exploit results in full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 6.4.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
News & Research Mentioning CVE-2026-1354
View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to pair via Bluetooth with a motorcycle, gaining unauthorized access to all Bluetooth functions, including changing the firmware. The following versions of Zero Motorcycles Firmware are affected: Zero Motorcycles firmware <=44 (CVE-2026-1354) CVSS Vendor Equipment Vulnerabilities v3 6.4 Zero Motorcycles Zero Motorcycles Firmware Key Exchange without Entity Authentication Background Critical Infrastructure Sectors: Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-1354 Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motor [xlite_meta score:63 src:CISA Alerts xlite_fp:b6427a6d6d5e221df31af24147471d887eee2d672d4ab445540c1bb7e2618b5b]
All References (2)
Quick Facts
Known Threat Actors
Related CVEs (CWE-322)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-1354 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts