Zero Motorcycles and Yadea Scooters Both Have Software Security Vulnerabilities

You're used to hearing about computer hacking, and maybe even robot vacuum hacking, but no one wants to hear about motorcycle hacking. But that's what is occurring with Zero and Yadea right now.

Photo by: Zero Motorcycles

By: Janaki Jitchotvisut

May 4, at 7:34am ET

Comment

In our increasingly connected world, more and more of the things we use every day are engineered for maximum connectivity. Does your refrigerator need Bluetooth and/or WiFi connectivity? How about your microwave? Your car? Maybe even your motorcycle?

Listen, if you really need your refrigerator to send you a push notification on your phone to let you know that the door is open, I'm not totally sure how that's supposed to help when you're already at the airport and about to board a plane. I mean, I guess maybe you could call someone closer to home and tell them to go shut the door? But honestly, it seems a bit like solving a hypothetical problem that may not actually exist.

On vehicles, there's more of a case to be made for the benefits of connectivity; after all, navigation and music streaming both usually require connecting your phone. There's also an argument to be made about adding things like route recording (so you can keep track of your favorites), and why not add value with features like vehicle health, or the ability to adjust settings from your phone instead of diving into sub-menus on the dash, and so on. Sometimes, those features can be very cool and useful (as long as they're working as intended).

But even if you're super into the potential user benefits, all that connectivity has always and will always come with certain risks. And if you didn't have learning about security vulnerabilities on a couple of two-wheeled vehicles on your bingo card for 2026, don't worry; neither did we. But that's what I'm about to tell you!

And worse yet, it involves Zero Motorcycles and Yadea Scooters.

Cybersecurity publication SC Media brought our attention to two new Common Vulnerabilities and Exposures (CVE) reports that were filed with the US Cybersecurity and Infrastructure Security Agency (CISA) earlier this month.

On April 21, 2026, security researcher Persephone Karnstein of Bureau Veritas Cybersecurity North America filed a vulnerability report on Zero Motorcycles firmware versions 44 and prior. The reason? They found a threat deemed of medium risk to users, whereby a bad actor could "forcibly pair a device with the motorcycle via Bluetooth" due to this vulnerability.

Tell us what you think!

View

Comments

Now, to be fair, certain precise conditions must be met for this threat to fully be realized. Firstly, the motorcycle must be in Bluetooth pairing mode, and the malicious actor's device must remain in close enough proximity to the motorcycle to potentially upload malicious firmware, and remain so for the duration of the firmware update. Still, it's unsettling enough to find malware on your phone or computer; thinking about the havoc it could wreak on a vehicle you're betting your life on every time you ride it is concerning on a more visceral level, to my mind.

A couple of days later, on April 23, 2026, security researchers filed a vulnerability report regarding Yadea T5 electric scooters. These use an electronic key fob to activate and ride, but apparently their RF code protocol isn't robust enough to prevent unauthorized users from effectively forging the signal. It's possible for them to intercept the legitimate RF code from the key fob, then access remote vehicle operation by using a replay attack (in other words, resending the legit information they previously intercepted from the very legit key fob).

RideApart has reached out to both Zero Motorcycles and Yadea to ask what actions both companies are taking with regard to these security vulnerability reports. We will update this piece with any responses we receive.

While both of these cybersecurity vulnerability reports were filed in the US, with a US agency, both Zero and Yadea sell their machines worldwide. Since that's the case, even if you're not located in the US, I'd recommend staying up to date with this story if you own any of the motorcycles or scooters affected. As and when both companies implement fixes, you'll want to know about and apply them, regardless of your geography.