Skip to the content.

DIVD-2025-00012 - Four vulnerabilities in Schneider Electric EVLink Wallbox

Our reference DIVD-2025-00012
Case lead Frank Breedijk
Researcher(s)
CVE(s)
Products
  • Schneider Electric EVLink Wallbox
Versions
  • All versions
Recommendation No patch available, product is no longer supported. Apply mitigating measures
Patch status No patch available, product is no longer supported
Workaround Apply the mitigating measures suggested by the vendor
Status Open
Last modified 12 Jun 2025 15:24 CEST

Summary

DIVD researcher Wilco van Beijnum has discovered four vulnerabilities in Schneider Electric EVLink Wallbox EV charger, that allow authenticated users to read and write arbitrary files on the device, execute arbitrary code via this method, inject commands via the configuration options and conduct stored cross site scripting in the report functionality.

The vulnerabilities will not be patched by Schneider Electric as the devices at the end of their commercial life. The vendor is offering a replacement product that is not affected by these vulnerabilities as well as a detailed advisory that contains mitigating measures.

What you can do

If you have a Schneider Electric EVLink Wallbox it is best to decommission this devices, refrain from selling it second hand and replace it with a product that can be updated, has a long projected support time and is not affected by these vulnerabilities.

If you choose to keep this device in operation it is recommended that you take the following measures:

What we are doing

DIVD has reported the vulnerability to Schneider Electric. As they are a CNA themselves, Schneider Electric has registered CVEs for these vulnerabilities.

We are currently making a decision if it makes sense to scan for vulnerable devices and warn the owners.

Timeline

Date Description
22 Apr 2025 Vulnerability reported to DIVD
23 Apr 2025 DIVD reaches out to Schneider Electric PSIRT
23 Apr 2025 Schneider Electric acknowledges receipt of report
23 Apr 2025-
23 Apr 2025
Time to acknowledge
28 Apr 2025 Schneider Electric assigns SE-18861 to SE-18864 to vulnerabilities
20 May 2025 Schneider Electric confirms vulnerabilities exist
10 Jun 2025 Schneider Electric publishes CVE records
10 Jun 2025 Schneider Electric publishes advisory SEVD-2025-161-03
23 Apr 2025
?
Time to patch (N/A)
gantt title DIVD-2025-00012 - Four vulnerabilities in Schneider Electric EVLink Wallbox dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00012 - Four vulnerabilities in Schneider Electric EVLink Wallbox (still open) :2025-04-22, 2025-07-16 section Events Vulnerability reported to DIVD : milestone, 2025-04-22, 0d DIVD reaches out to Schneider Electric PSIRT : milestone, 2025-04-23, 0d Schneider Electric acknowledges receipt of report : milestone, 2025-04-23, 0d Time to acknowledge (0 days) : 2025-04-23, 2025-04-23 Schneider Electric assigns SE-18861 to SE-18864 to vulnerabilities : milestone, 2025-04-28, 0d Schneider Electric confirms vulnerabilities exist : milestone, 2025-05-20, 0d Schneider Electric publishes CVE records : milestone, 2025-06-10, 0d Schneider Electric publishes advisory SEVD-2025-161-03 : milestone, 2025-06-10, 0d Time to patch (N/A) (?d): 2025-04-23, 2025-07-16

More information