Researchers have identified a critical vulnerability CVE-2025-44179 in the remote management interface of several major transit providers’ onboard modems.
Exploiting this weakness, attackers can both track the real-time location of buses and issue remote control commands to critical subsystems such as door operations, engine start/stop, and HVAC settings.
Key Takeaways
1. Embedded backdoors and unauthenticated API/SSH/Telnet access in bus modems.
2. MQTT credentials and unencrypted telemetry leak real-time GPS and operational data.
3. Mitigate by disabling insecure services.
According to researcher Chiao-Lin Yu , the hard-coded credentials found in the firmware of onboard routers, similar to the “app:$1$/w1tlbIY” account found in HITRON CGNF-TWN modems.
By initiating a simple Telnet handshake—telnet <DEVICE_IP>—an attacker can drop into a BusyBox shell:
Once inside, the adversary may escalate privileges via a hidden backdoor loop in the startup script:
This backdoor, originally intended for ISP diagnostics, permits arbitrary code execution (RCE) on the bus’s network gateway.
Modern smart buses rely on MQTT for telematics and remote diagnostics. Research shows that the same CA certificate and client credentials are deployed fleet-wide, allowing an attacker to subscribe to location topics:
By subscribing with default credentials (cms@mqtt / samepassword), a malicious actor can map bus routes in real time and predict arrival times, jeopardizing passenger privacy and operational schedules.
The flaw extends to the HTTP management API. An unauthenticated attacker may invoke the config.xgi endpoint to adjust critical parameters:
This API, lacking proper authentication controls, enables password resets for admin accounts and subsequent takeover of the vehicle’s CAN bus interface. Once inside, attackers could remotely command door actuators or disable brakes.
Transit agencies must immediately disable Telnet/SSH services on modems, enforce unique per-device credentials, and deploy firmware updates that remove hard-coded backdoors.
Additionally, migrating MQTT streams to mutually authenticated TLS with distinct client certificates per device will thwart unauthorized subscriptions.
Lastly, rigorous input validation on all XGI endpoints is essential to prevent command injection attacks.
As public transport evolves, ensuring the security of connected infrastructure is paramount. Without swift action, threat actors could not only jeopardize passenger safety but also disrupt entire urban transit networks.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
The post Smart Bus Systems Vulnerability Let Hackers Remotely Track and Control Vehicles appeared first on Cyber Security News.
SPEEDWAY, Ind. (WOWO) — The Indianapolis 500 paddock was rocked on Monday when Alexander Rossi‘s…
Corey Minor Smith of Canton, Ohio holds a “Black Voters Matter” sign while marching over…
Summer isn't here quite yet but already the heat's starting to turn up in some…
PlayStation seems to be waving the white flag on its PC strategy, at least when…
New PlayStation console owners have launched a new class-action lawsuit in an effort to claim…
Five months after the Stranger Things finale, series creators the Duffer Brothers have admitted they…
This website uses cookies.