Vulnerabilities found in Zero Motorcycles and Yadea scooters

Electric motorcycles from Zero Motorcycles and electric scooters from Yadea are affected by vulnerabilities that, if exploited, could have a physical security and safety impact, according to a recent report by Security Week, citing recent CISA advisories.

US-based Zero Motorcycles is affected by a medium severity vulnerability (CVE-2026-1354) in firmware version 44 and earlier. An attacker within Bluetooth range could gain unauthorized access to all Bluetooth functions and upload malicious firmware. This could allow manipulation of safety-critical features like torque output, regenerative braking, and battery management, potentially affecting vehicle behavior at high speeds. A patch is expected in May.

Separately, the Yadea T5 electric scooter has a high severity vulnerability (CVE-2025-70994) due to weak authentication. An attacker can intercept a legitimate key fob transmission, such as a lock command, and use the data to synthesize an unlock or start command, enabling theft of the scooter. This attack can be performed instantly after capturing a command. Yadea has not yet released a patch for this issue.

Source: Security Week