CVE-2023-34397

High

Published: 13 February 2025

Published

13 February 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0033 55.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Mercedes Benz head-unit NTG 6 contains functions to import or export profile settings over USB. During parsing you can trigger that the service will be crashed.

Security Summary

CVE-2023-34397 affects the Mercedes Benz head-unit NTG 6, which includes functions for importing or exporting profile settings over USB. The vulnerability arises during parsing of these settings, allowing an attacker to trigger a crash of the associated service, resulting in a denial-of-service condition. Classified under CWE-400 (Uncontrolled Resource Consumption), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no effects on confidentiality or integrity.

An unauthenticated attacker (PR:N) can exploit this over a network vector (AV:N) with low attack complexity and no user interaction required. Exploitation crashes the service, disrupting availability on the affected head-unit.

Mitigation details are outlined in the security research advisory at https://securelist.com/mercedes-benz-head-unit-security-research/115218/.

Details

CWE(s): CWE-400

Affected Products

mercedes-benz

headunit ntg6 mercedes-benz user experience

≤ 2021

References

https://securelist.com/mercedes-benz-head-unit-security-research/115218/
Third Party Advisory · cve@mitre.org