ELECTRIC motorcycles from Zero Motorcycles and electric scooters from Yadea are affected by vulnerabilities that, if exploited, could have a physical security and safety impact, according to CISA advisories cited by SecurityWeek. The Zero Motorcycles flaw, tracked as CVE-2026-1354, could let an attacker connect over Bluetooth and upload malicious firmware after a proximity pairing, potentially altering torque output, regenerative braking, battery management and other safety-critical functions.
The Yadea T5 scooter vulnerability, CVE-2025-70994 and rated high severity, allows interception of legitimate key fob transmissions and, via replayed commands, could enable theft of the scooter; researchers say an attacker in proximity can replay unlock and start commands. Bureau Veritas Cybersecurity researchers described the Zero vulnerability and noted that the vendor plans a firmware patch in May, with guidance to pair the bike only in safe locations.
The advisories emphasise that successful exploitation requires close physical proximity and knowledge of the pairing flow, and that compromised firmware could have real-world safety consequences. According to CISA, the vulnerabilities illustrate the risk posed by weak authentication and insecure updates in connected two-wheelers.