Unrated severityNVD Advisory· Published Aug 23, 2015· Updated May 6, 2026

CVE-2015-2906

Description

Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, store SSH private keys that are the same across different customers' installations, which makes it easier for remote attackers to obtain access by leveraging knowledge of a private key from another installation.

Affected products

Munic/Mobile Devices (mdi) Obd Ii Donglesv5
Range: 0
Mobile Devices/C4 Obd Ii Dongle Firmware
cpe:2.3:o:mobile_devices:c4_obd-ii_dongle_firmware:*:*:*:*:*:*:*:*
Range: <=3.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.kb.cert.org/vuls/id/209512nvdThird Party AdvisoryUS Government Resource
www.usenix.org/conference/woot15/workshop-program/presentation/fosternvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000