CVE-2015-2908

Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:C/I:C/A:C
certccCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
VendorProductVersion
mobile_devicesc4_obd-ii_dongle_firmware
𝑥
≤ 3.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.kb.cert.org/vuls/id/209512
https://www.usenix.org/conference/woot15/workshop-program/presentation/foster
http://www.kb.cert.org/vuls/id/209512
https://www.usenix.org/conference/woot15/workshop-program/presentation/foster