Cyber Resilience

CVE-2025-70994

High

Published: 23 April 2026

Published
23 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0005 15.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70994 is a high-severity Weak Authentication (CWE-1390) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2025-70994 is a vulnerability in the keyless entry system of Yadea T5 Electric Bicycles manufactured in or after 2024. The system relies on the EV1527 fixed-code RF protocol, which lacks rolling codes or cryptographic challenge-response mechanisms. This weak authentication enables signal forgery via replay attacks after an attacker intercepts any legitimate key fob transmission.

A physically proximate attacker with adjacent network access (AV:A) and no privileges (PR:N) can exploit this vulnerability. By capturing a valid RF signal from a key fob and replaying it, the attacker achieves complete unauthorized operation of the vehicle, resulting in high impacts to integrity (I:H) and availability (A:H) with no confidentiality impact (C:N). The attack has low complexity (AC:L) but requires user interaction (UI:R), as scored at CVSS 7.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) and mapped to CWE-1390.

GitHub repositories at https://github.com/ktauchathuranga/CVE-2025-70994 and https://github.com/ktauchathuranga/ghost-keys provide details on the vulnerability, including proof-of-concept code for demonstration. No vendor advisories or patches are referenced in the available information.

EU & UK References

Vulnerability details

Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery…

more

after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-52541Shared CWE-1390
CVE-2025-40554Shared CWE-1390
CVE-2026-6886Shared CWE-1390
CVE-2025-1293Shared CWE-1390
CVE-2025-1387Shared CWE-1390
CVE-2026-40417Shared CWE-1390
CVE-2024-48886Shared CWE-1390
CVE-2024-50563Shared CWE-1390
CVE-2025-12870Shared CWE-1390
CVE-2025-57713Shared CWE-1390

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates that authenticators such as the EV1527 fixed-code RF signals have sufficient strength of mechanism to resist replay attacks by requiring rolling codes or cryptographic challenge-response.

prevent

Requires the bicycle system to identify and authenticate key fob devices using strong authenticators, preventing unauthorized operation from intercepted and replayed signals.

prevent

Establishes authentication and encryption requirements for wireless access, directly mitigating the weak fixed-code RF protocol vulnerable to local signal forgery.

References