CVE-2025-22370

Mennekes smart/premium charges systems, SQL Injection in web configuration interface

CVE

CVE-2025-22370

Title

Mennekes smart/premium charges systems, SQL Injection in web configuration interface

Credits

Wilco van Beijnum (finder)
Harm van den Brink(DIVD) (analyst)
Frank Breedijk (DIVD) (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Mennekes Smart / Premium charging stations	>= * to < 2.15 (semver)
Mennekes Smart / Premium charging stations		everything else

CVSS

Base score	5.3 - MEDIUM
Attack Vector	NETWORK
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	LOW
Confidentiality Impact
Vulnerable system	LOW	Subsequent systems	NONE
Integrity Impact
Vulnerable system	LOW	Subsequent systems	NONE
Availability Impact
Vulnerable system	NONE	Subsequent systems	NONE
Safety impact	NEGLIGIBLE
Automatable	YES
Recovery	NOT_DEFINED
Value Density	NOT_DEFINED
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2025-22370 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2025-00003 ( vendor-advisory )
https://www.mennekes.nl/fileadmin/MEN-Deutschland/emobility/04_software/06_smart_premium/Release_Notes_for_2.15_06.03.2025.pdf ( release-notes )

Problem type(s)

Impact(s)

CAPEC-66 SQL Injection

Date published

10 Mar 2025 14:00 UTC

Last modified

11 Mar 2025 13:40 UTC

Description

Many fields for the web configuration interface of the firmware for Mennekes Smart / Premium Chargingpoints can be abused to execute arbitrary SQL commands because the values are insufficiently neutralized.

JSON version.

DIVD CSIRT

CVE-2025-22370

Mennekes smart/premium charges systems, SQL Injection in web configuration interface

Description