Assessment
CFSE Consequence Paths assesses Tesla Model 3 VCSEC TPMS Integer Overflow RCE (CVE-2025-2082) at CRITICAL — the worst of 2 risk paths (perception, safety). The dominant consequence is manipulated perception that drives action.
Vulnerability
Tesla Model 3 VCSEC TPMS Integer Overflow RCE (CVE-2025-2082). Reported attack vector: Adjacent network (wireless TPMS / RF range).
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
PERCEPTION_TO_ACTION → CRITICAL
CPATH:1.0-candidate/TT:PERCEPTION_TO_ACTION/RE:2/EC:2/EX:2/PH:3/DP:4/AT:3/CH:4/SR:4/SX:2/OR:4/EV:3/LS:PATCH_AVAILABLE
Exposure EX=2 (reachability and complexity-bound) · bands PH=HIGH · DP=CRITICAL · AT=HIGH → base CRITICAL · uplift recall-class recovery → assessed CRITICAL.
- Distinct terminal: the TPMS sensor-trust/perception path is weaponized and drives physical action. RE:2 adjacent RF range to inject crafted TPMS cert_response. EC:2 reproducible integer-overflow exploit. AT:3 the module trusting TPMS perception is the security/immobilizer controller; gaining control of it subverts a safety-relevant sensor-trust boundary. PH:3 the corrupted perception/control path leads to actuation (immobilizer/lock state) affecting vehicle security and theft risk, safety-margin reduction. DP:4 a safety-relevant sensor/perception input (TPMS, a vehicle sensor-trust channel) is manipulated and feeds a control module.
- perception_feeds_action — true: manipulated TPMS perception is processed by VCSEC which actuates immobilizer/lock and bridges CAN. CH:4 RF perception -> RCE -> CAN actuation bridge. SR:4 portable firmware exploit. SX:2 per-vehicle proximity. OR:4 OTA fleet update. EV:3 reproduced at Pwn2Own. PATCH_AVAILABLE; no in-the-wild exploitation.
DEVICE_CONTROL_SAFETY → HIGH
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:2/EX:2/PH:3/DP:3/AT:3/CH:4/SR:4/SX:2/OR:4/EV:3/LS:PATCH_AVAILABLE
Exposure EX=2 (reachability and complexity-bound) · bands PH=HIGH · DP=HIGH · AT=HIGH → base HIGH · uplift recall-class recovery → assessed HIGH.
RE:2 adjacent RF/TPMS wireless range, no physical contact, no creds. EC:2 advanced-but-reproducible memory-corruption integer overflow exploit chain, demonstrated working at Pwn2Own. AT:3 admin/service authority over the VCSEC security module (immobilizer, locks) plus CAN-command injection, but not a signing/OTA trust root. PH:3 safety-margin reduction / unsafe control influence via CAN (immobilizer disable, door unlock) enabling theft and potential interference with controls; demonstrated impacts are control-plane bypass rather than crash-level injury, so not PH:4. DP:3 firmware/security-relevant operational state of a control module. CH:4 cross-domain authority transfer: RF sensor input -> code exec on security module -> CAN bus -> vehicle commands, a reusable multi-hop bridge. SR:4 same firmware/hardware exploit is portable across identical units (shared firmware artifact). SX:2 still per-vehicle proximity attack, no fleet-wide remote trigger. OR:4 remediation required an OTA firmware update pushed across the affected fleet (fleet reprovision-class). EV:3 reproduced live at Pwn2Own Automotive 2024. PATCH_AVAILABLE; not known exploited in the wild.
Published baseline
- v3.0 7.5 HIGH —
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H — ZDI via NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources