CVE-2025-69515

Critical

Published: 07 April 2026

Published

07 April 2026

Modified

09 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0006 17.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69515 is a critical-severity Incorrectly Specified Destination in a Communication Channel (CWE-941) vulnerability in Jxl (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-42 (Sensor Capability and Data) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the improper validation of falsified GPS signals by requiring checks on information inputs to the infotainment system.

SC-42 Sensor Capability and Data good match

prevent

Protects GPS sensor capability and data against spoofing by restricting and validating sensor inputs and operations.

SC-8 Transmission Confidentiality and Integrity partial match

prevent

Ensures integrity of GPS data transmissions over the network, helping to detect and block falsified signals.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1565.003 Runtime Data Manipulation Impact

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Remote network exploitation of public-facing infotainment system (T1190) directly enables falsified GPS data injection, resulting in runtime manipulation of location data reported by the device (T1565.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporting an incorrect or static location.

Deeper analysisAI

CVE-2025-69515 is a vulnerability affecting the JXL 9 Inch Car Android Double Din Player running Android v12.0. The issue enables attackers to force the infotainment system into accepting falsified GPS signals as legitimate, causing the device to report an incorrect or static location. Published on 2026-04-07, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-941.

Remote attackers can exploit this vulnerability over the network with low attack complexity, without requiring privileges or user interaction. Successful exploitation allows them to spoof GPS data, compromising the integrity and availability of location services on the infotainment system, while confidentiality remains unaffected.

Advisories and further details, including potential mitigations, are available at http://jxl.com and https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.md.

Details

CWE(s): CWE-941

Affected Products

Jxl

—

inferred from references and description; NVD did not file a CPE for this CVE

References

http://jxl.com
cve@mitre.org
https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.md
cve@mitre.org