Critical Vulnerability Information Vulnerability Name: (Pwn2Own) Sony XAV-AX8500 Bluetooth L2CAP Protocol Heap-based Buffer Overflow Remote Code Execution Vulnerability ZDI ID: ZDI-25-354 CVE ID: CVE-2025-5477 CVSS Score: 7.5, AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Vendor: Sony Affected Product: XAV-AX8500 Vulnerability Details Description: This vulnerability allows a network-adjacent attacker to execute arbitrary code on the affected Sony XAV-AX8500 device. The attacker must first gain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability. Specific Issue: A specific flaw in the Bluetooth L2CAP protocol implementation results in insufficient validation of user-supplied data length before copying it into a heap-based buffer. Attackers can exploit this vulnerability to execute code within the elysian-bt-service process. Additional Details Remediation: Sony has released an update to address this vulnerability. For more details, see: https://www.sony.com/electronics/support/mobile-cd-players-digital-media-players-xav-series/xav-ax8500/software/00344092 Disclosure Timeline 2025-01-30: Vulnerability reported to vendor 2025-06-11: Coordinated public advisory release 2025-06-11: Advisory updated Acknowledgments Discoverer: Mikhail Evdokimov (@konatabrk) from PCAutomotive