Cybersecurity Flaws in Electric Motorcycles and Scooters Pose Physical Safety Risks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories for critical vulnerabilities in electric motorcycles and scooters from Zero Motorcycles and Yadea, which could allow attackers to compromise vehicle safety and security.
Zero Motorcycles Bluetooth Vulnerability (CVE-2026-1354)
Researchers at Bureau Veritas Cybersecurity discovered a medium-severity flaw in Zero Motorcycles’ firmware (version 44 and earlier) that enables unauthorized Bluetooth access. An attacker within range could exploit the pairing process triggered by holding the Mode button or during initial setup to connect a malicious device. Once paired, they could upload malicious firmware, gaining control over safety-critical functions, including:
- Throttle and braking behavior
- Battery management and thermal safeguards
- Cellular modem access (GPS/telemetry repurposing for remote control)
While the attack requires proximity and technical expertise, a determined threat actor could manipulate vehicle performance, posing risks at high speeds. Zero Motorcycles plans a firmware patch in May and advises users to pair devices in secure locations.
Yadea T5 Scooter Authentication Flaw (CVE-2025-70994)
A high-severity vulnerability in Yadea’s T5 electric scooter allows attackers to intercept and replay key fob commands, enabling theft. Researcher Ashen Chathuranga demonstrated that an attacker near the scooter can capture a legitimate command (e.g., locking) and synthesize unauthorized unlock/start signals in real time. The flaw stems from weak authentication, requiring no specialized equipment. Yadea has not yet released a patch.
Both incidents highlight growing cybersecurity risks in connected vehicles, where software flaws can translate to physical safety threats. The vendors have not responded to requests for comment.
Yadea TPRM report: https://www.rankiteo.com/company/yadea
Zero Motorcycles TPRM report: https://www.rankiteo.com/company/zeromotorcycles
"id": "zeryad1777422472",
"linkid": "zeromotorcycles, yadea",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'industry': 'Automotive (Electric Motorcycles)',
'name': 'Zero Motorcycles',
'type': 'Manufacturer'},
{'industry': 'Automotive (Electric Scooters)',
'name': 'Yadea',
'type': 'Manufacturer'}],
'attack_vector': ['Bluetooth Exploitation', 'Key Fob Command Replay'],
'customer_advisories': 'Zero Motorcycles advises users to pair devices in '
'secure locations',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) has issued advisories for critical vulnerabilities in '
'electric motorcycles and scooters from Zero Motorcycles and '
'Yadea, which could allow attackers to compromise vehicle '
"safety and security. Zero Motorcycles' Bluetooth "
'vulnerability enables unauthorized access to safety-critical '
"functions, while Yadea's T5 scooter authentication flaw "
'allows key fob command interception and replay, enabling '
'theft.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'safety and security flaws',
'operational_impact': 'Manipulation of throttle, braking, and '
'battery management systems; potential theft '
'of scooters',
'systems_affected': ['Vehicle Control Systems',
'Key Fob Authentication']},
'lessons_learned': 'Growing cybersecurity risks in connected vehicles can '
'translate to physical safety threats due to software '
'flaws.',
'post_incident_analysis': {'corrective_actions': ['Firmware patch for Zero '
'Motorcycles',
'Pending patch for Yadea'],
'root_causes': ['Weak Bluetooth pairing '
'authentication (Zero Motorcycles)',
'Weak key fob authentication '
'(Yadea)']},
'recommendations': 'Manufacturers should prioritize secure authentication '
'mechanisms, timely firmware updates, and user education '
'on secure pairing practices.',
'references': [{'source': 'CISA Advisories'},
{'source': 'Bureau Veritas Cybersecurity'},
{'source': 'Ashen Chathuranga (Researcher)'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA advisories '
'issued'},
'response': {'communication_strategy': 'Advisories issued by CISA; Zero '
'Motorcycles advises users to pair '
'devices in secure locations',
'remediation_measures': 'Zero Motorcycles plans a firmware patch '
'in May 2026; Yadea has not yet released '
'a patch',
'third_party_assistance': 'Bureau Veritas Cybersecurity (for '
'Zero Motorcycles), Ashen Chathuranga '
'(for Yadea)'},
'stakeholder_advisories': 'CISA advisories; Zero Motorcycles user guidance',
'title': 'Cybersecurity Flaws in Electric Motorcycles and Scooters Pose '
'Physical Safety Risks',
'type': ['Firmware Vulnerability', 'Authentication Flaw'],
'vulnerability_exploited': ['CVE-2026-1354', 'CVE-2025-70994']}