Electric motorcycles manufactured by Zero Motorcycles and scooters from Yadea have been found to contain vulnerabilities that could affect both security and rider safety. Recent advisories from the Cybersecurity and Infrastructure Security Agency (CISA) highlight these risks, drawing attention to potential real-world consequences.
Vulnerabilities in Zero Motorcycles
Zero Motorcycles, a US-based manufacturer, has been identified with a Bluetooth vulnerability in its electric motorcycles. This flaw, cataloged as CVE-2026-1354, affects firmware versions up to 44. Researchers from Bureau Veritas Cybersecurity have discovered that an attacker could exploit this weakness to gain unauthorized access and upload malicious firmware to the motorcycle.
The vulnerability is classified as ‘medium severity’ by CISA due to the complexity involved in executing an attack. Dinesh Shetty, who leads security engineering at Bureau Veritas, explained that an attacker must be within Bluetooth range and understand the device’s pairing process to succeed. This allows the attacker to pair their device and potentially control critical functions of the motorcycle.
Potential Impacts of Bluetooth Exploitation
Once the malicious firmware is installed, the attacker can manipulate various safety-critical functions, such as torque output and braking systems, posing significant risks at high speeds. Even more concerning is the possibility of remote command-and-control through the bike’s cellular modem, which adds a layer of complexity to the potential threat.
In response, CISA has advised users to pair their motorcycles in secure locations while waiting for a firmware patch expected in May. Despite these developments, Zero Motorcycles has yet to issue a public response.
Yadea T5 Scooter Vulnerability
Another noteworthy vulnerability affects the T5 scooter by Yadea, a Chinese company. This issue, identified as CVE-2025-70994 and deemed ‘high severity’, allows attackers to intercept commands sent between the scooter and its key fob. By capturing a legitimate command, such as locking the scooter, attackers can generate unauthorized commands to unlock or even start the scooter.
Researcher Ashen Chathuranga has demonstrated that such attacks can be executed quickly, enabling potential theft with ease. As of now, Yadea has not released a patch or provided an official comment regarding the vulnerability.
These findings underscore the need for heightened security measures in the design and operation of electric vehicles, as the potential for cyber threats continues to grow.
