How I hacked 100,000+ motorcycles (including my own)…
... > Automotive > How I Hacked 100,000+ Motorcycles | CVE-2025-11690
Introduction
My name is Ilnur Khakimov, and I work as a Penetration Tester (Ethical Hacker) at Bureau Veritas Cybersecurity. In my work, I’m often given websites, apps, and devices to find weaknesses, exploit and report them.
This article is about me hacking my own motorcycle through an IDOR vulnerability, earning the CVE-2025–11690 for it, and the struggles I faced while requesting this CVE.
Background information
During an assessment at work, I was assigned a project where I had to perform a security audit of a device and its connection to its server.
For this assessment, I built a MITM lab environment in which traffic from any connected device would be routed through my machine. Any encrypted traffic, like HTTPS, would be decrypted by tricking the devices into using my certificates for encryption, allowing me to see and manipulate information sent between the device and its server.
Once I built this environment and completed the audit I, it was already time for lunch. But curiosity got the better of me. What would happen if I plugged my own smartphone into this lab environment?
So instead of going for lunch, I connected my smartphone and started to analyze its behavior. Immediately I noticed unnecessary tracking information was being sent in the background to three big corporations without my knowledge or any interaction. Was I surprised? Not at all. Was I morally outraged? Yes, of course.
My motorcycle
I decided to open some apps. The most interesting one I found was the app for my motorcycle — a CFMoto 450 SR-S with the CFMoto Ride App for tracking and navigation.
CFMoto Ride App for my motorcycle
I discovered that pretty much everything I saw inside my motorcycle’s app was not stored in the app itself, but retrieved from the server when the app started. This information included the pictures, personal data, and all the technical details of my motorcycle.
Among the requests made to retrieve this information, I found one that queried technical data about the bike: its location, encryption info (key, IV), fuel level, and much more.
All of the interesting information in one single request!
An intercepted request
What I noticed about this request was that it queried all this information using a single GET parameter (vehicleId) with just a number as its value.
In my curiosity, I wondered what would happen if I changed this number. Would the app verify, based on other information, whether I was allowed to query data that might belong to other people? Did the developers of this motorbike account for someone looking under the hood of their own product?
The Vulnerability
I decided to send a new request, with a slightly changed number. I expected the server to throw me an error like “Not allowed” or “Internal Server Error,” but nothing seemed to change at first sight.
I looked closely at the response from the server. I noticed that the vehicleId parameter in the response matched the one I manually supplied — but why did the information look so similar?
Request with changed vehicleId parameter
I decided to check the coordinates. For my own vehicle ID (motorcycle), it started with a longitude of 4.xxx and the same seemed true here.
But the last numbers of the coordinates were slightly different. Since I’m not an expert in geography or navigation, I assumed this difference wasn’t significant and was probably some technical inaccuracy.
I decided to verify this hypothesis by looking up both coordinates through online services.
First, the request for my own vehicle ID: the coordinates corresponded exactly with its actual location where I parked it in Amsterdam.
GPS location received with my vehicleId
Then the slightly changed vehicle ID: Luxembourg… Luxembourg???
That’s not a minor technical error! Neither am I smart enough to believe I just found a vulnerability this serious on my own.
I changed the number slightly again and looked up the coordinates: Belgium...
GPS location received with changed vehicleId
I still couldn’t believe it. A company worth over $6 billion making a mistake like this? And I’m the one to spot it?
Doubts
I went to a colleague for a sanity check. She thought it was a cool vulnerability — and most importantly, she had no doubt it existed.
I then went for a second (or third) opinion, this time from the most senior colleague I could find. I hoped he could point out some technical nuance or mistake that would mean the vulnerability wasn’t real.
When I showed him the issue, he first laughed at how simple the mistake was and said he hadn’t seen something like that in a long time. But he didn’t deny the existence of the vulnerability either!
That meant I could potentially get my first CVE ever!
Vulnerabilities get a CVE number assigned once they’re patched and verified by an authority — think of it as a reference number for scientific papers, which also give credit to the researcher in the community.
The struggles of reporting the vulnerability
As a good hacker, I decided to report this vulnerability to the manufacturer. I looked up whether the manufacturer had a Coordinated Vulnerability Disclosure (CVD) program itself or if it had outsourced it to any platform.
Many companies that are serious about their security have a CVD program or are part of one organized by a third party. This allows a safe and coordinated way to communicate vulnerabilities between security researchers worldwide and the right people inside the organization.
I couldn’t find anything in that regard, so I looked further. Inside the app (which had 100,000+ installations on Google Play alone), I found an option to report problems with the app — which I did. I told them I found a vulnerability possibly affecting all their customers. I left my contact information in the form and requested a secure platform for sharing details. Up to this day, I haven’t received a response from this end.
I then found an email address in the privacy statement, which the manufacturer claimed belonged to the privacy officer. It wasn’t the typical <firstname>.<lastname>@<domain>.com format we’re used to. The literal email was app@<domain>.com. I sent the privacy officer several emails, but those remained silent too.
Involving the national institutions
I decided to escalate and contact security institutions for help. In my case, the National Cyber Security Center of the Netherlands (NCSC-NL) did all the heavy lifting to reach the manufacturer.
At first, they contacted the local importer of the brand. From there, they received contacts for the manufacturer in China, that finally replied to our email. They provided us with the “correct” email address to send the issue to: app@<domain>.com — the same one I had reached out to weeks earlier.
At the request of the NCSC, I sent another email to that address and included the NCSC in CC. After a couple of weeks of repetitive follow-ups, we finally got a response confirming the vulnerability. The manufacturer stated they would roll out an update by the end of that week.
Now, slightly over two months later, I’m happy to say the vulnerability has been addressed, and I’ve been awarded my first ever CVE with a severity score of 8,5/10:
CVE-2025–11690
To CFMoto:
I’m very happy with my bike, which I bought last year. Thanks to you, young people like me can enjoy the freedom of owning a motorbike with modern tech — without having to sell a kidney first.
Yet, I’d recommend addressing the struggles mentioned in this blog. Security is not an option; it’s a fundamental. When hundreds of thousands of motorbikes and their owners can be traced with a single click, it’s not acceptable to ignore the issue for weeks — especially when government institutions are already involved. Apart from posing danger to your customers, issues like these can also have legal consequences if discovered and exploited by someone with a different moral compass.
I’d recommend setting up or joining a CVD program, whether in-house or outsourced to a third party. This would provide a clear structure for reporting new vulnerabilities when found.
As an optional bonus, you could reward researchers through such a program to encourage global participation in improving security.
Appendix
A special thanks to NCSC-NL for coordinating communication with the client and assigning a CVE.
Another special thanks to my colleagues from Bureau Veritas Cybersecurity, from whom I learned the skills that made this achievement possible.
Links
Contact: https://www.linkedin.com/in/ilnur-khakimov/
CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-11690
CFmoto Ride App: https://play.google.com/store/apps/details/CFMOTO_RIDE?id=com.cfmoto.cfmotointernational
Originally published on Medium by Ilnur Khakimov of Bureau Veritas Cybersecurity, this article has been republished here with permission of the author.
More information
Discover how cyber experts like Ilnur Khakimov, Pentester & Security Researcher and author of this article, can help secure your organization with your cybersecurity needs. Fill out the form, and we’ll contact you within one business day.
Why choose Bureau Veritas Cybersecurity
Bureau Veritas Cybersecurity is your expert partner in cybersecurity. We help organizations identify risks, strengthen defenses and comply with cybersecurity standards and regulations. Our services cover people, processes and technology, ranging from awareness training and social engineering to security advice, compliance and penetration testing.
We operate across IT, OT and IoT environments, supporting both digital systems and connected products. With over 300 cybersecurity professionals worldwide, we combine deep technical expertise with a global presence. Bureau Veritas Cybersecurity is part of the Bureau Veritas Group, a global leader in testing, inspection and certification.