Zero Motorcycles Firmware

MonitorCVSS 6.4ICS-CERT ICSA-26-111-06Apr 21, 2026

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

A Bluetooth pairing vulnerability in Zero Motorcycles firmware (version 44 and earlier) allows an attacker within Bluetooth range to pair with a motorcycle without authorization during an active pairing session. Successful exploitation grants the attacker access to all Bluetooth functions, including the ability to modify the motorcycle's firmware. The vulnerability requires specific timing during the pairing process and is exploitable without authentication credentials. Zero Motorcycles plans to release a firmware update in May 2026 to address this issue.

What this means

What could happen

An attacker within Bluetooth range could pair with your motorcycle without authorization and modify firmware or access Bluetooth functions, potentially disabling the bike or altering its operation.

Who's at risk

Operators of Zero Motorcycles (firmware version 44 and earlier) who rely on Bluetooth connectivity for mobile device pairing and firmware management. This affects any rider or fleet operator using these motorcycles in environments where unauthorized persons might attempt to compromise the pairing process.

How it could be exploited

An attacker with Bluetooth access to the motorcycle initiates a pairing request while the owner is also pairing their mobile device. If the attacker completes pairing first or simultaneously, they gain unauthorized Bluetooth access and can execute firmware updates or other Bluetooth commands.

Prerequisites

Bluetooth proximity to the motorcycle (typically 10–100 meters depending on environment)
The motorcycle and a mobile device must be simultaneously attempting to pair
The attacker must be able to interact with the pairing process without the owner's awareness

Bluetooth proximity requiredUser interaction required during pairingFirmware modification possible if pairing succeedsNo patch currently available

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Zero Motorcycles firmware≤ 44No fix yet

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDPair your mobile device to your motorcycle only in a secure location where no unauthorized persons can attempt to pair at the same time

WORKAROUNDEnsure the Bluetooth pairing process is fully completed and confirmed successful before leaving the pairing environment

HARDENINGStore physical keys securely and do not leave the motorcycle unattended with the key in the ON position

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate motorcycle firmware to the latest available version when the May 2026 firmware update becomes available

CVEs (1)

CVE-2026-1354

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eeae9560-5eec-4e02-9e04-06bfbe489de7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.