DIVD-2025-00003 - Multiple vulnerabilities in Mennekes Smart / Ultimate Charging stations

Our reference	DIVD-2025-00003
Case lead	Frank Breedijk
Researcher(s)	Wilco van Beijnum (external) Harm van den Brink Frank Breedijk
CVE(s)	CVE-2025-22366 CVE-2025-22367 CVE-2025-22368 CVE-2025-22369 CVE-2025-22370
Products	Mennekes Smart / Premium Charging stations
Versions	Firmware version < 2.15
Recommendation	Install the update from the vendor
Patch status	Full patched
Status	Open
Last modified	11 Mar 2025 15:41 CET

Summary

External research Wilco van Beijnum and DIVD researcher Harm van der Brik have identified multiple vulnerabilities in the Firmware of the Mennekes Premium Column charging station. These vulnerabilities allow an authenticated attacker to execute arbitrary OS commands, read arbitrary files or execute SQL commands against the database of the charging station. This firmware is common to all Mennekes Smart / Premium chargers.

These vulnerabilities are:

CVE-2025-22366 - An Authenticated Remote Command Execution in the firmware update interface, CVSS4.0: 8.7
CVE-2025-22367 - An Authenticated Remote Command Execution in the set time interface, CVSS4.0: 8.7
CVE-2025-22368 - An Authenticated Remote Command Execution in the SCU firmware update interface, CVSS4.0: 8.7
CVE-2025-22369 - An arbitrary file read vulnerability, CVSS4.0: 7.1
CVE-2025-22370 - Multiple SQL injection vulnerabilities in the configuration screens , CVSS4.0: 5.3

What you can do

If you are the owner of or are responsible for the maintenance of such a charging station we recommend that you update the firmware to the latest version. You can download the firmware from the Mennekes Software Updates page

What we are doing

We have responsibibly disclosed the vulnerabilities to Mennekes. We are investigating if it is possible to scan for these vulnerabilities remotely.

Timeline

Date	Description
12 Sep 2024	Vulnerabilities reported to DIVD
15 Jan 2025	Reserved CVES
15 Jan 2025	Reached out to vendor
16 Jan 2025	Vulnerabilities disclosed to vendor and receipt confirmed
16 Jan 2025- 16 Jan 2025	Time to acknowledge
27 Jan 2025	Vendor confirms findings are valid
03 Mar 2025	Vendor informs us release candidate is ready for testing
10 Mar 2025	Vendor informs us new firmware version is released
16 Jan 2025- 10 Mar 2025	Time to patch

gantt title DIVD-2025-00003 - Multiple vulnerabilities in Mennekes Smart / Ultimate Charging stations dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00003 - Multiple vulnerabilities in Mennekes Smart / Ultimate Charging stations (still open) :2024-09-12, 2025-03-18 section Events Vulnerabilities reported to DIVD : milestone, 2024-09-12, 0d Reserved CVES : milestone, 2025-01-15, 0d Reached out to vendor : milestone, 2025-01-15, 0d Vulnerabilities disclosed to vendor and receipt confirmed : milestone, 2025-01-16, 0d Time to acknowledge (0 days) : 2025-01-16, 2025-01-16 Vendor confirms findings are valid : milestone, 2025-01-27, 0d Vendor informs us release candidate is ready for testing : milestone, 2025-03-03, 0d Vendor informs us new firmware version is released : milestone, 2025-03-10, 0d Time to patch (53 days) : 2025-01-16, 2025-03-10

More information

Mennekes Software Updates page
Mennekes Release Notes
CVE-2025-22366 - An Authenticated Remote Command Execution in the firmware update interface, CVSS4.0: 8.7
CVE-2025-22367 - An Authenticated Remote Command Execution in the set time interface, CVSS4.0: 8.7
CVE-2025-22368 - An Authenticated Remote Command Execution in the SCU firmware update interface, CVSS4.0: 8.7
CVE-2025-22369 - An arbitrary file read vulnerability, CVSS4.0: 7.1
CVE-2025-22370 - Multiple SQL injection vulnerabilities in the configuration screens , CVSS4.0: 5.3

DIVD CSIRT