CVE-2018-18071
Description
An issue was discovered in the Daimler Mercedes-Benz Me app 2.11.0-846 for iOS. The encrypted Connected Vehicle API data exchange between the app and a server might be intercepted. The app can be used to operate the Remote Parking Pilot, unlock the vehicle, or obtain sensitive information such as latitude, longitude, and direction of travel.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Encrypted data exchange between Mercedes-Benz Me app and server can be intercepted, enabling vehicle control and data theft.
Vulnerability
The Daimler Mercedes-Benz Me app version 2.11.0-846 for iOS uses the Connected Vehicle API [1] with encrypted data exchange. The encryption is vulnerable to interception, indicating improper transport layer security (e.g., missing certificate pinning), allowing an attacker to decrypt the communication.
Exploitation
An attacker with network access between the app and the server can perform a man-in-the-middle attack. By intercepting the encrypted traffic, the attacker can decrypt the data exchange. No special privileges are required beyond the ability to monitor or tamper with network traffic.
Impact
Successful exploitation enables the attacker to retrieve sensitive information such as the vehicle's latitude, longitude, and direction of travel. Additionally, the attacker can send commands to operate the Remote Parking Pilot and unlock the vehicle, achieving unauthorized control over important vehicle functions.
Mitigation
No specific fix is detailed in the provided reference [1]. Users should update the Mercedes-Benz Me app to the latest version available on the iOS App Store, as newer versions likely address this vulnerability since its disclosure in October 2018.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 2.11.0-846
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- vuldb.commitrex_refsource_MISC
- www.scip.ch/en/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.