Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
WOLFBOX Level 2 EV Charger LAN OTA Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WOLFBOX Level 2 EV Charger. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the Tuya communications module software. The issue results from the exposure of a method allowing the upload of crafted software images to the module. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26349.
AnalysisAI
Critical remote code execution vulnerability in WOLFBOX Level 2 EV Charger devices that exploits an exposed dangerous method in the Tuya communications module, allowing network-adjacent attackers to upload and execute arbitrary code despite authentication requirements. The authentication bypass mechanism combined with the exposed software upload functionality creates a high-severity attack path that can grant attackers complete control over affected EV charger installations. This vulnerability (formerly ZDI-CAN-26349) presents significant risk to vehicle charging infrastructure and connected IoT deployments relying on Tuya-based communication protocols.
Technical ContextAI
The vulnerability resides in the Tuya communications module software integrated into WOLFBOX Level 2 EV Chargers. Tuya is a widely-used IoT cloud platform providing connectivity and OTA (Over-The-Air) update capabilities for smart devices. The specific flaw involves CWE-749 (Exposed Dangerous Method or Function), where a method responsible for firmware/software image uploads has been exposed without adequate access controls. The underlying issue is compounded by a secondary authentication bypass vulnerability within the Tuya module's authentication mechanism, allowing attackers to circumvent the intended privilege requirements. This combination—exposed OTA upload functionality plus authentication bypass—creates a direct path to arbitrary code execution on the device's Tuya communication subsystem and potentially the host EV charger system. The LAN-based attack vector indicates the vulnerability is exploitable from devices on the same network segment as the charger.
RemediationAI
Immediate remediation steps: (1) Check WOLFBOX and Tuya official security advisories for available firmware patches addressing CVE-2025-5748 and authentication bypass; (2) Apply vendor-provided firmware updates to all affected EV chargers immediately upon availability; (3) Network segmentation: isolate EV charger management interfaces to restricted VLANs with access controls limiting LAN exposure; (4) Disable OTA auto-update if manual update review is feasible; (5) Implement network-level monitoring for suspicious firmware upload attempts to charger devices (watch for firmware update traffic patterns); (6) Reset authentication credentials on affected devices if supported; (7) Monitor Tuya module logs for unauthorized access attempts. Long-term: replace affected devices with patched versions once vendor provides remediation, or migrate to alternative non-Tuya-dependent charger platforms if patches are unavailable. Specific patch versions and vendor advisory links must be obtained from WOLFBOX and Tuya security bulletins.
A command injection vulnerability (CVSS 9.8). Risk factors: public PoC available.
Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.
Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the
RIOT IoT operating system has an out-of-bounds read vulnerability (CVSS 9.1) that could lead to information disclosure o
A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available
CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote auth
CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.
MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to in
CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affect
Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.
Synectix LAN 232 TRIO serial-to-ethernet adapter exposes its web management interface without authentication (CVSS 10.0)
An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with sc
Same weakness CWE-749 – Exposed Dangerous Method or Function
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17312