Electric Motorcycles and Scooters Face Hacking Risks to Security and Rider Safety

Summary

Researchers discovered critical vulnerabilities in Zero Motorcycles electric motorcycles (CVE-2026-1354) and Yadea T5 electric scooters (CVE-2025-70994) that could allow attackers to gain unauthorized control via Bluetooth and weak key fob authentication. The Zero Motorcycles flaw enables firmware manipulation affecting safety-critical functions like throttle and braking, while the Yadea vulnerability permits scooter theft through command synthesis. Both vendors have not yet released patches or responded to requests for comment.

Full text

Electric motorcycles from Zero Motorcycles and electric scooters from Yadea are affected by vulnerabilities that, if exploited, could have a physical security and safety impact. CISA recently published separate advisories for these vulnerabilities, and SecurityWeek has reached out to the researchers who reported the flaws to find out more about their potential real-world impact. Zero Motorcycles vulnerability Researchers at Bureau Veritas Cybersecurity discovered that electric motorcycles from US-based Zero Motorcycles are affected by a vulnerability that could allow an attacker to connect to a vehicle over Bluetooth. The security hole, tracked as CVE-2026-1354, affects firmware version 44 and earlier. According to CISA, which classified the vulnerability as ‘medium severity’ due to the attack’s high complexity, an attacker could gain unauthorized access to all Bluetooth functions and even upload malicious firmware to the bike. Dinesh Shetty, director of security engineering at Bureau Veritas, told SecurityWeek that while conducting an attack may not be easy, a motivated and well-resourced attacker could pull it off. The expert pointed out that the attacker needs to be physically close to the targeted motorcycle, understand the pairing flow, and remain close until the malicious firmware upload is completed. Shetty explained, Advertisement. Scroll to continue reading. “Zero motorcycles have a Bluetooth pairing mode that activates when you hold the Mode button for about five seconds, or if the bike has simply never been paired before. During that window, the key exchange doesn’t actually verify who is connecting. An attacker standing within Bluetooth range could jump in and pair their own device to the bike, and the motorcycle would accept it as a legitimate connection. Once you’re paired, you look like a trusted device, and you can use the firmware update channel to push a modified firmware image to the motorcycle.” Once the attacker uploads a malicious firmware, they can perform actions that could pose a serious safety risk. “The motorcycle’s main microcontroller controls safety-critical features which includes the torque output, regenerative braking, the contactors that deliver power to the motor, and battery management. If you can get your own firmware on there, you can mess with any of that. For a real world impact, you can think about what that means on a vehicle doing highway speeds. You could alter how the throttle responds, interfere with braking behavior, or even manipulate battery thermal safeguards. The board also has access to a cellular modem for GPS and telemetry, which in theory could be repurposed for remote command-and-control. We’re not talking about someone changing the color of your dashboard; this is firmware that governs the physical behavior of the vehicle.” CISA said the vendor plans on releasing a firmware update in May and in the meantime it has advised users to pair their motorcycle to their phone in a safe location where no one else can attempt pairing at the same time. Bureau Veritas Cybersecurity regularly conducts in-depth research of various types of products, including open source framework, healthcare and financial protocols, password managers, and even proprietary systems like scoreboards. Zero Motorcycles has not responded to SecurityWeek’s request for comment. Yadea T5 scooter vulnerability CISA recently published a separate advisory for another potentially serious vulnerability affecting a powered two-wheeler, the T5 scooter made by Chinese company Yadea. The security hole, tracked as CVE-2025-70994 and rated ‘high severity’, is a weak authentication issue that can allow an attacker to intercept legitimate key fob transmissions. According to an advisory from Ashen Chathuranga, the researcher who found the vulnerability, an attacker in proximity of the targeted scooter can intercept a non-sensitive command — for instance, a lock command — issued by the owner. Using data from that non-sensitive command, the attacker can “mathematically synthesize” a different command, including unlock and start commands, which enables the attacker to steal the scooter. Conducting the attack does not require an extended period. Chathuranga told SecurityWeek that an attacker can instantly issue a new command and conduct a replay attack after capturing a command from the victim. CISA and the researchers say Yadea has yet to release a patch, and the vendor has not responded to SecurityWeek’s request for comment. Related: Free Wi-Fi Leaves Buses Vulnerable to Remote Hacking Related: Researchers Uncover Method to Track Cars via Tire Sensors Related: Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Firefox Vulnerability Allows Tor User FingerprintingLocked Shields 2026: 41 Nations Strengthen Cyber Resilience in World’s Biggest ExerciseVulnerabilities Patched in CrowdStrike, Tenable ProductsChinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude MythosAI Can Autonomously Hack Cloud Systems With Minimal Oversight: Researchers After Bluesky, Mastodon Targeted in DDoS AttackClaude Mythos Finds 271 Firefox VulnerabilitiesGoogle Antigravity in Crosshairs of Security Researchers, Cybercriminals Latest News No Patch for New PhantomRPC Privilege Escalation Technique in WindowsGermany Suspects Russia Is Behind Signal Phishing That Targeted Top OfficialsSpectrum Security Emerges From Stealth Mode With $19 MillionMedtronic Hack Confirmed After ShinyHunters Threatens Data LeakIncomplete Windows Patch Opens Door to Zero-Click AttacksOpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsMalicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: GoogleEnergy and Water Management Firm Itron Hacked Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveNeill Feather has been named Chief Executive Officer at Point Wild.Oasis Security has appointed Michael DeCesare as President.Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.More People On The MoveExpert Insights Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cyber

Indicators of Compromise

• cve — CVE-2026-1354
• cve — CVE-2025-70994

Entities