Zero Motorcycles Firmware

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-06.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to pair via Bluetooth with a motorcycle, gaining unauthorized access to all Bluetooth functions, including changing the firmware. /strong /p p The following versions of Zero Motorcycles Firmware are affected: /p ul li Zero Motorcycles firmware lt;=44 (CVE-2026-1354) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 6.4 /td td Zero Motorcycles /td td Zero Motorcycles Firmware /td td Key Exchange without Entity Authentication /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-1354 /a /h3 div class="csaf-accordion-content" p Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bluetooth. Once paired, an attacker can utilize over-the-air firmware updating functionality to potentially upload malicious firmware to the motorcycle. The motorcycle must first be in Bluetooth pairing mode, and the attacker must be in proximity of the vehicle and understand the full pairing process, to be able to pair their device with the vehicle. The attacker's device must remain paired with and in proximity of the motorcycle for the entire duration of the firmware update. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-1354" View CVE Details /a /p hr h4 Affected Products /h4 h5 Zero Motorcycles Firmware /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Zero Motorcycles /div div class="ics-version" strong Product Version: /strong br Zero Motorcycles Zero Motorcycles firmware: lt;=44 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br Zero Motorcycles has investigated this report and cautions users to pair their mobile device to their vehicle in a safe location where they can be sure no one else will try to pair at the same time. Once initiated, complete the full pairing process and confirm it is successful. Store physical keys in a secure location and do not leave the bike unattended with the key in the "ON" position. Zero Motorcycles plans to address