A significant security flaw in Tesla’s Model 3 vehicles has been revealed during the 2025 Pwn2Own hacking competition, exposing potential risks in the evolving realm of automotive cybersecurity. The flaw allows attackers to execute malicious code remotely via the vehicle’s Tire Pressure Monitoring System (TPMS), putting critical driving functions at risk.
The identified vulnerability, registered as CVE-2025-2082, achieved a CVSS score of 7.5, categorizing it as a high severity risk. Specifically, the vulnerability affects Tesla Model 3 vehicles running firmware versions prior to 2024.14, potentially allowing unauthorized access to the Vehicle Control System Electronic Controller (VCSEC), which manages essential vehicle communications.
Notably, exploitation of this flaw requires proximity to the vehicle, typically within Bluetooth or Wi-Fi range, but does not necessitate authentication, amplifying the threat to those determined to exploit the vulnerability. Should attackers succeed, they could manipulate key functions such as braking and acceleration, leading to hazardous situations for drivers.
The issue was first uncovered by cybersecurity researchers from Synacktiv, specifically Thomas Imbert, Vincent Dehors, and David Berard, during the renowned Pwn2Own competition. Tesla promptly issued a fix in October 2024 with the release of firmware version 2024.14, allowing vehicle owners to secure their cars against such threats. However, owners are urged to undertake the installation process manually to patch their vehicles effectively.
As vehicles continue to integrate more technology, the importance of automotive cybersecurity cannot be overstated. Tesla has recommended that all users verify their firmware version and apply necessary updates without delay. In light of this significant vulnerability and its implications, the need for enhanced cybersecurity measures in the automotive industry remains critical.