Kaspersky Flags Critical Vulnerabilities in Connected-Car Systems

Cybersecurity firm Kaspersky has uncovered serious security flaws in a vehicle manufacturer’s connected-car infrastructure, according to a report presented at the Security Analyst Summit 2025.

The audit revealed that a zero-day SQL injection in a contractor’s exposed web application could allow attackers to access telematics systems and potentially take control of key vehicle functions, including engine shutdown, gear shifting, or manipulation of systems while the vehicle is in operation, reports Telematics Wire.

Kaspersky’s research identified multiple weaknesses, including publicly accessible web services, poor password policies, lack of two-factor authentication, and insufficient network segmentation. Exploiting these vulnerabilities, researchers were able to access privileged systems, extract hashed credentials, identify misconfigured firewalls, and discover firmware-update commands capable of interacting with the vehicle’s CAN bus, which controls major modules such as the engine and transmission.

In response to these findings, Kaspersky is urging the automotive industry and its contractors to strengthen cybersecurity measures. Recommendations include implementing robust password policies, enabling two-factor authentication, isolating telematics platforms from vehicle networks, encrypting sensitive data, and deploying logging and monitoring systems (SIEM) for real-time detection of anomalies.

The report highlights the risks posed by third-party systems and contractor access, which can create vulnerabilities that threaten driver safety and damage brand trust if left unaddressed.