Cyber Resilience

CVE-2023-34397

HighDDoS

Published: 13 February 2025

Published
13 February 2025
Modified
27 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0033 56.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-34397 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Mercedes-Benz Headunit Ntg6 Mercedes-Benz User Experience. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Service Exhaustion Flood (T1499.002); ranked in the top 44.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2023-34397 affects the Mercedes Benz head-unit NTG 6, which includes functions for importing or exporting profile settings over USB. The vulnerability arises during parsing of these settings, allowing an attacker to trigger a crash of the associated service, resulting in a denial-of-service condition. Classified under CWE-400 (Uncontrolled Resource Consumption), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no effects on confidentiality or integrity.

An unauthenticated attacker (PR:N) can exploit this over a network vector (AV:N) with low attack complexity and no user interaction required. Exploitation crashes the service, disrupting availability on the affected head-unit.

Mitigation details are outlined in the security research advisory at https://securelist.com/mercedes-benz-head-unit-security-research/115218/.

EU & UK References

Vulnerability details

Mercedes Benz head-unit NTG 6 contains functions to import or export profile settings over USB. During parsing you can trigger that the service will be crashed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.002 Service Exhaustion Flood Impact
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
Why these techniques?

Vulnerability directly enables service crash via resource exhaustion during profile parsing, mapping to Service Exhaustion Flood.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-34398Same product: Mercedes-Benz Headunit Ntg6 Mercedes-Benz User Experience
CVE-2023-34402Same product: Mercedes-Benz Headunit Ntg6 Mercedes-Benz User Experience
CVE-2023-34399Same product: Mercedes-Benz Headunit Ntg6 Mercedes-Benz User Experience
CVE-2023-34400Same product: Mercedes-Benz Headunit Ntg6 Mercedes-Benz User Experience
CVE-2025-21231Shared CWE-400
CVE-2025-0114Shared CWE-400
CVE-2026-27630Shared CWE-400
CVE-2026-6052Shared CWE-400
CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400

Affected Assets

mercedes-benz
headunit ntg6 mercedes-benz user experience
≤ 2021

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates profile settings inputs prior to parsing to prevent uncontrolled resource consumption and service crashes from malformed USB data.

prevent

Implements denial-of-service protections to limit effects of the parsing vulnerability that crashes the head-unit service.

prevent

Ensures error handling during profile parsing does not disclose information or lead to service denial-of-service crashes.

References