Skip to main content

IoT CVE-2025-5748

| EUVDEUVD-2025-17312 HIGH
Exposed Dangerous Method or Function (CWE-749)
2025-06-06 zdi-disclosures@trendmicro.com
8.0
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17312
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 16:15 nvd
HIGH 8.0

DescriptionCVE.org

WOLFBOX Level 2 EV Charger LAN OTA Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WOLFBOX Level 2 EV Charger. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the Tuya communications module software. The issue results from the exposure of a method allowing the upload of crafted software images to the module. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26349.

AnalysisAI

Critical remote code execution vulnerability in WOLFBOX Level 2 EV Charger devices that exploits an exposed dangerous method in the Tuya communications module, allowing network-adjacent attackers to upload and execute arbitrary code despite authentication requirements. The authentication bypass mechanism combined with the exposed software upload functionality creates a high-severity attack path that can grant attackers complete control over affected EV charger installations. This vulnerability (formerly ZDI-CAN-26349) presents significant risk to vehicle charging infrastructure and connected IoT deployments relying on Tuya-based communication protocols.

Technical ContextAI

The vulnerability resides in the Tuya communications module software integrated into WOLFBOX Level 2 EV Chargers. Tuya is a widely-used IoT cloud platform providing connectivity and OTA (Over-The-Air) update capabilities for smart devices. The specific flaw involves CWE-749 (Exposed Dangerous Method or Function), where a method responsible for firmware/software image uploads has been exposed without adequate access controls. The underlying issue is compounded by a secondary authentication bypass vulnerability within the Tuya module's authentication mechanism, allowing attackers to circumvent the intended privilege requirements. This combination—exposed OTA upload functionality plus authentication bypass—creates a direct path to arbitrary code execution on the device's Tuya communication subsystem and potentially the host EV charger system. The LAN-based attack vector indicates the vulnerability is exploitable from devices on the same network segment as the charger.

RemediationAI

Immediate remediation steps: (1) Check WOLFBOX and Tuya official security advisories for available firmware patches addressing CVE-2025-5748 and authentication bypass; (2) Apply vendor-provided firmware updates to all affected EV chargers immediately upon availability; (3) Network segmentation: isolate EV charger management interfaces to restricted VLANs with access controls limiting LAN exposure; (4) Disable OTA auto-update if manual update review is feasible; (5) Implement network-level monitoring for suspicious firmware upload attempts to charger devices (watch for firmware update traffic patterns); (6) Reset authentication credentials on affected devices if supported; (7) Monitor Tuya module logs for unauthorized access attempts. Long-term: replace affected devices with patched versions once vendor provides remediation, or migrate to alternative non-Tuya-dependent charger platforms if patches are unavailable. Specific patch versions and vendor advisory links must be obtained from WOLFBOX and Tuya security bulletins.

More in IoT

View all
CVE-2025-45988 CRITICAL POC
9.8 Jun 13

A command injection vulnerability (CVSS 9.8). Risk factors: public PoC available.

CVE-2026-29128 CRITICAL POC
10.0 Mar 05

Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.

CVE-2025-63624 CRITICAL POC
9.8 Feb 03

Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the

CVE-2026-25139 CRITICAL POC
9.1 Feb 04

RIOT IoT operating system has an out-of-bounds read vulnerability (CVSS 9.1) that could lead to information disclosure o

CVE-2025-5875 HIGH POC
8.8 Jun 09

A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available

CVE-2025-34023 HIGH POC
8.5 Jun 20

CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote auth

CVE-2025-48466 HIGH POC
8.1 Jun 24

CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.

CVE-2026-27177 HIGH POC
7.2 Feb 18

MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to in

CVE-2025-7503 CRITICAL
10.0 Jul 11

CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affect

CVE-2025-64090 CRITICAL
10.0 Jan 09

Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.

CVE-2026-1633 CRITICAL
10.0 Feb 04

Synectix LAN 232 TRIO serial-to-ethernet adapter exposes its web management interface without authentication (CVSS 10.0)

CVE-2025-40805 CRITICAL
10.0 Jan 13

An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with sc

Share

CVE-2025-5748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy