DIVD-2025-00012 - Four vulnerabilities in Schneider Electric EVLink Wallbox

Summary

DIVD researcher Wilco van Beijnum has discovered four vulnerabilities in Schneider Electric EVLink Wallbox EV charger, that allow authenticated users to read and write arbitrary files on the device, execute arbitrary code via this method, inject commands via the configuration options and conduct stored cross site scripting in the report functionality.

The vulnerabilities will not be patched by Schneider Electric as the devices at the end of their commercial life. The vendor is offering a replacement product that is not affected by these vulnerabilities as well as a detailed advisory that contains mitigating measures.

What you can do

If you have a Schneider Electric EVLink Wallbox it is best to decommission this devices, refrain from selling it second hand and replace it with a product that can be updated, has a long projected support time and is not affected by these vulnerabilities.

If you choose to keep this device in operation it is recommended that you take the following measures:

• Make sure the device is not reachable from any untrusted network (internet, visitor network, public wifi, etc.)
• Put the devices on a separate VLAN or isolate it in another way
• Check the device’s log for abuse regularly
• Choose a strong password
• Change the password regularly

What we are doing

DIVD has reported the vulnerability to Schneider Electric. As they are a CNA themselves, Schneider Electric has registered CVEs for these vulnerabilities.

We are currently making a decision if it makes sense to scan for vulnerable devices and warn the owners.

Timeline

More information

• CVE-2025-5740
• CVE-2025-5741
• CVE-2025-5742
• CVE-2025-5743
• Vendor Advisory
• Product Website