DIVD-2025-00012 - Four vulnerabilities in Schneider Electric EVLink Wallbox
Our reference | DIVD-2025-00012 |
Case lead | Frank Breedijk |
Researcher(s) | |
CVE(s) | |
Products |
|
Versions |
|
Recommendation | No patch available, product is no longer supported. Apply mitigating measures |
Patch status | No patch available, product is no longer supported |
Workaround | Apply the mitigating measures suggested by the vendor |
Status | Open |
Last modified | 12 Jun 2025 15:24 CEST |
Summary
DIVD researcher Wilco van Beijnum has discovered four vulnerabilities in Schneider Electric EVLink Wallbox EV charger, that allow authenticated users to read and write arbitrary files on the device, execute arbitrary code via this method, inject commands via the configuration options and conduct stored cross site scripting in the report functionality.
The vulnerabilities will not be patched by Schneider Electric as the devices at the end of their commercial life. The vendor is offering a replacement product that is not affected by these vulnerabilities as well as a detailed advisory that contains mitigating measures.
What you can do
If you have a Schneider Electric EVLink Wallbox it is best to decommission this devices, refrain from selling it second hand and replace it with a product that can be updated, has a long projected support time and is not affected by these vulnerabilities.
If you choose to keep this device in operation it is recommended that you take the following measures:
- Make sure the device is not reachable from any untrusted network (internet, visitor network, public wifi, etc.)
- Put the devices on a separate VLAN or isolate it in another way
- Check the device’s log for abuse regularly
- Choose a strong password
- Change the password regularly
What we are doing
DIVD has reported the vulnerability to Schneider Electric. As they are a CNA themselves, Schneider Electric has registered CVEs for these vulnerabilities.
We are currently making a decision if it makes sense to scan for vulnerable devices and warn the owners.
Timeline
Date | Description |
---|---|
22 Apr 2025 | Vulnerability reported to DIVD |
23 Apr 2025 | DIVD reaches out to Schneider Electric PSIRT |
23 Apr 2025 | Schneider Electric acknowledges receipt of report |
23 Apr 2025- 23 Apr 2025 |
Time to acknowledge |
28 Apr 2025 | Schneider Electric assigns SE-18861 to SE-18864 to vulnerabilities |
20 May 2025 | Schneider Electric confirms vulnerabilities exist |
10 Jun 2025 | Schneider Electric publishes CVE records |
10 Jun 2025 | Schneider Electric publishes advisory SEVD-2025-161-03 |
23 Apr 2025 ? |
Time to patch (N/A) |