Skip to main content

Maxicharger Ac Elite Business C50 Firmware CVE-2025-5822

| EUVDEUVD-2025-28665 HIGH
Incorrect Authorization (CWE-863)
2025-06-25 zdi-disclosures@trendmicro.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-28665
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
CVE Published
Jun 25, 2025 - 18:15 nvd
HIGH 8.8

DescriptionCVE.org

Autel MaxiCharger AC Wallbox Commercial Technician API Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. An attacker must first obtain a low-privileged authorization token in order to exploit this vulnerability.

The specific flaw exists within the implementation of the Autel Technician API. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-26325.

AnalysisAI

CVE-2025-5822 is a privilege escalation vulnerability in the Autel MaxiCharger AC Wallbox Commercial Technician API that allows authenticated attackers to escalate from low-privileged users to higher privilege levels, potentially gaining unauthorized access to administrative functions and sensitive charging station data. The vulnerability requires an attacker to first obtain a valid low-privileged API token, after which they can bypass authorization controls to access restricted resources. With a CVSS score of 8.8 and network-accessible attack vector, this represents a significant risk to commercial EV charging infrastructure.

Technical ContextAI

The vulnerability exists in Autel's Technician API implementation for MaxiCharger AC Wallbox Commercial units, which are networked EV charging stations. The root cause is classified under CWE-863 (Incorrect Authorization), indicating the API fails to properly verify that an authenticated user has permission to access requested resources beyond their assigned privilege level. This is a classic authorization flaw where the API likely performs authentication (verifying identity via token) but lacks sufficient authorization checks (verifying the authenticated user's permissions for specific actions). The Technician API is a remote management interface used for diagnostics, configuration, and monitoring of commercial charging stations, making it a high-value target. The vulnerability affects the commercial variant of Autel's wallbox products, which integrate into fleet management and commercial charging networks.

RemediationAI

Specific patch versions were not provided in the CVE description. Recommended actions: (1) Contact Autel support immediately to obtain patched firmware versions for affected MaxiCharger AC Wallbox Commercial units; (2) If patches are not yet available, implement network-level access controls restricting Technician API exposure to trusted administrative networks only, ideally behind VPN; (3) Rotate all low-privileged API tokens currently in use, implement token expiration policies, and audit token usage logs for unauthorized escalation attempts; (4) Disable the Technician API if not actively required for operations; (5) Monitor for suspicious API calls from low-privilege accounts attempting to access high-privilege resources; (6) Implement request signing or mutual TLS for API authentication to increase exploitation difficulty. Vendor advisory with patch availability should be obtained directly from Autel's security advisory page or PSIRT contact.

Share

CVE-2025-5822 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy