Automotive software vulnerabilities pose escalating risks amid the rapid evolution of connected vehicle ecosystems, yet longitudinal, empirical analyses of their temporal patterns and cross-component distribution remain scarce. Method: This study systematically analyzes 1,663 publicly disclosed automotive software vulnerabilities from 2018–2024, constructing the first seven-year vulnerability time series. It maps Common Weakness Enumeration (CWE) categories to Software Development Life Cycle (SDLC) phases—development, integration, and deployment—and performs cross-layer root-cause attribution to identify high-introduction stages across vehicle systems, cloud platforms, and mobile applications. Contribution/Results: The analysis reveals evolving CWE prevalence trends (e.g., temporal surges in CWE-787 and CWE-125), quantifies vulnerability distribution across ecosystem components, and identifies critical SDLC phases where weaknesses are most frequently introduced. It delivers an evidence-based vulnerability prioritization framework for proactive, lifecycle-wide mitigation—filling a critical gap in long-term automotive software vulnerability research.

The automotive industry has experienced a drastic transformation in the past few years when vehicles got connected to the internet. Nowadays, connected vehicles require complex architecture and interdependent functionalities, facilitating modern lifestyles and their needs. As a result, automotive software has shifted from just embedded system or SoC (System on Chip) to a more hybrid platform, which includes software for web or mobile applications, cloud, simulation, infotainment, etc. Automatically, the security concerns for automotive software have also developed accordingly. This paper presents a study on automotive vulnerabilities from 2018 to September 2024, i.e., the last seven years, intending to understand and report the noticeable changes in their pattern. 1,663 automotive software vulnerabilities were found to have been reported in the studied time frame. The study reveals the Common Weakness Enumeration (CWE) associated with these vulnerabilities develop over time and how different parts of the automotive ecosystem are exposed to these CWEs. Our study provides the platform to understand the automotive software weaknesses and loopholes and paves the way for identifying the phases in the software development lifecycle where the vulnerability was introduced. Our findings are a step forward to support vulnerability management in automotive software across its entire life cycle.