The flaw affected models fitted with BMW's ConnectedDrive software, which uses an on-board Sim card.
The software operated door locks, air conditioning and traffic updates but no driving firmware such as brakes or steering, BMW said.
No cars have actually been hacked, but the flaw was identified by German motorist association ADAC.
ADAC's researchers found the cars would try to communicate via a spoofed phone network, leaving potential hackers able to control anything activated by the Sim.
The patch, which would be applied automatically, included making data from the car encrypted via HTTPS (HyperText Transfer Protocol Secure) - the same security commonly used for online banking, BMW said.
"On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network," it said in a statement.
This should have already been in place, said security expert Graham Cluley.
"You would probably have hoped that BMW's engineers would have thought about [using HTTPS] in the first place," he wrote on his blog.
"If you are worried that your vehicle may not have received the update (perhaps because it has been parked in an underground car park or other places without a mobile phone signal, or if its starter battery has been disconnected) then you should choose "Update Services" from your car's menu."