CVE-2025-22366

Mennekes smart/premium charges systems, Command injection in firmware upgrade

CVE

CVE-2025-22366

Title

Mennekes smart/premium charges systems, Command injection in firmware upgrade

Credits

Wilco van Beijnum (finder)
Harm van den Brink(DIVD) (analyst)
Frank Breedijk (DIVD) (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Mennekes Smart / Premium charging stations	>= * to < 2.15 (semver)
Mennekes Smart / Premium charging stations		everything else

CVSS

Base score	8.7 - HIGH
Attack Vector	NETWORK
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	LOW
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	NONE
Availability Impact
Vulnerable system	HIGH	Subsequent systems	NONE
Safety impact	NEGLIGIBLE
Automatable	YES
Recovery	NOT_DEFINED
Value Density	NOT_DEFINED
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2025-22366 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2025-00003 ( vendor-advisory )
https://www.mennekes.nl/fileadmin/MEN-Deutschland/emobility/04_software/06_smart_premium/Release_Notes_for_2.15_06.03.2025.pdf ( release-notes )

Problem type(s)

Impact(s)

CAPEC-248 Command Injection

Date published

10 Mar 2025 14:00 UTC

Last modified

11 Mar 2025 13:40 UTC

Description

The authenticated firmware update capability of the firmware for Mennekes Smart / Premium Chargingpoints can be abused for command execution because OS command are improperly neutralized when certain fields are passed to the underlying OS.

JSON version.

DIVD CSIRT

CVE-2025-22366

Mennekes smart/premium charges systems, Command injection in firmware upgrade

Description