CISA 2026-04-23

Yadea T5 Electric Bicycle

CVE-2025-70994

Machine-generated analysis · WAYSCloud LLM

The advisory notes that Yadea did not respond to coordination attempts, indicating no patch is available. This affects all versions of the T5 Electric Bicycle through a weak authentication mechanism.

Context

The affected product is the Yadea T5 Electric Bicycle, used in transportation systems worldwide. The advisory states that a weak authentication mechanism allows signal forgery after a local attacker intercepts any legitimate key fob transmissions. The vendor did not provide mitigations despite coordination attempts.

Operator considerations

Check: Inventory Yadea T5 Electric Bicycle assets.
Isolate: Store bicycles in secured areas with restricted physical access.
Patch: No patch is available according to the advisory; use external locks as recommended.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of this vulnerability could result in an attacker being able to unlock and start the bicycle, leading to vehicle theft.

The following versions of Yadea T5 Electric Bicycle are affected:

T5 Electric Bicycle vers:all/* (CVE-2025-70994)

Vendor

Equipment

Yadea

Yadea T5 Electric Bicycle

Weak Authentication

Critical Infrastructure Sectors: Transportation Systems

Countries/Areas Deployed: Worldwide

Company Headquarters Location: China

Yadea T5 Electric Bicycles have a weak authentication mechanism which is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmissions.

Yadea T5 Electric Bicycle

MitigationYadea did not respond to CISA's attempts at coordination. Users of Yadea T5 Electric Bicycles are encouraged to keep their systems up to date and lock their property securely with external mechanisms. Users can contact...

Read the full advisory on CISA →