CVE-2026-2540
CWE-288Published: February 15, 2026· Updated: Feb 18, 2026
Official Description
The Micca KE700 system contains flawed resynchronization logic and is vulnerable to replay attacks. This attack requires sending two previously captured codes in a specific sequence. As a result, the system can be forced to accept previously used (stale) rolling codes and execute a command. Successful exploitation allows an attacker to clone the alarm key. This grants the attacker unauthorized access to the vehicle to unlock or lock the doors.
Technical Analysis
CVE-2026-2540 requires adjacent network access, limiting remote exploitation but still posing risk in shared or local network environments.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-288)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-2540 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts