{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-69515", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T14:19:30.744Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T19:06:44.223Z"}, "descriptions": [{"lang": "en", "value": "An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporting an incorrect or static location."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://jxl.com"}, {"url": "https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-941", "lang": "en", "description": "CWE-941 Incorrectly Specified Destination in a Communication Channel"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:14:00.577101Z", "id": "CVE-2025-69515", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:19:30.744Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69515", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:14:00.577101Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-941", "description": "CWE-941 Incorrectly Specified Destination in a Communication Channel"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:17:35.690Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://jxl.com"}, {"url": "https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.md"}], "descriptions": [{"lang": "en", "value": "An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporting an incorrect or static location."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T19:06:44.223Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69515", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:19:30.744Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-07T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporting an incorrect or static location."}], "id": "CVE-2025-69515", "lastModified": "2026-04-09T15:16:08.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T20:16:22.950", "references": [{"source": "cve@mitre.org", "url": "http://jxl.com"}, {"source": "cve@mitre.org", "url": "https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-941"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "12.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 90.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "jxl_9_inch_car_android_double_din_player", "vendor": "jxlindia"}], "analysis": {"en": {"generated_at": "2026-04-10T11:25:53.053936+00:00", "value": {"mitigation_remediation": ["Verify the availability of a newer firmware version for the JXL infotainment unit and install it immediately.", "If no update is available, limit the GPS input to trusted hardware modules or disable external GPS data processing to prevent spoofed signals from being accepted.", "Segregate the infotainment network to block unauthorized data sources from reaching the GPS interface.", "Enable logging of location reports and periodically reconcile them against known vehicle routes to detect anomalies early."], "summary": {"action": "Apply Update", "impact": "Location spoofing via falsified GPS signals"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the JXL 9 Inch Car Android Double Din Player running Android v12.0. No additional vendor or product versions are listed, so the scope is limited to this specific infotainment unit.", "description_and_impact": "An issue in the JXL 9 Inch Car Android Double Din Player Android v12.0 permits an attacker to force the infotainment system into accepting forged GPS signals as legitimate. When triggered, the device reports an incorrect or static location, thereby undermining the integrity of navigation data, potentially enabling geofence evasion, routing manipulation, or other location\u2011based exploits. The weakness maps to CWE\u2011941, reflecting improper authentication or authorization of external signal sources.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a high severity impact, while the EPSS score of less than 1% points to a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires the attacker to supply falsified GPS data to the device, which could be achieved through a compromised OBD interface, a physical access to the device, or exploitation of a network channel feeding GPS data. These conditions imply that the attacker needs proximity or compromised input channels, but once achieved, the impact is substantial."}}}}, "created": "2026-04-08T19:50:25.912623+00:00", "title": "GPS Spoofing in JXL 9\u2011Inch Car Android Infotainment", "updated": "2026-04-13T14:27:28.117668+00:00", "vendors": ["jxlindia", "jxlindia$PRODUCT$jxl_9_inch_car_android_double_din_player"]}