EUVD-2025-19124CVSS Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Autel MaxiCharger AC Wallbox Commercial Origin Validation Error Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Autel MaxiCharger AC Wallbox Commercial. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability. The specific flaw exists within the handling of bluetooth pairing requests. The issue results from insufficient validation of the origin of commands. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26353.
Analysis
CVE-2025-5824 is an authentication bypass vulnerability in Autel MaxiCharger AC Wallbox Commercial that allows network-adjacent attackers to bypass authentication through insufficient origin validation in Bluetooth pairing requests. The vulnerability (formerly ZDI-CAN-26353) has a CVSS score of 7.5 with high confidentiality, integrity, and availability impact; exploitation requires prior ability to pair a malicious Bluetooth device with the target system. No KEV or active exploitation data was provided in the supplied intelligence, and patch availability status is not documented in the available information.
Technical Context
The vulnerability exists in the Bluetooth pairing request handling mechanism of Autel MaxiCharger AC Wallbox Commercial. The root cause is classified under CWE-346 (Origin Validation Error), which encompasses insufficient verification that commands originate from legitimate sources before processing them. In the context of Bluetooth-enabled charging infrastructure, the wallbox fails to properly authenticate the origin of pairing requests, allowing an attacker who has already obtained proximity and pairing capability to send spoofed or maliciously crafted commands that bypass the device's authentication layer. This is particularly critical for charging infrastructure as it exposes vehicle charging control and potentially energy management systems to unauthorized manipulation. The attack surface is limited to devices that support Bluetooth connectivity and that have insufficient mutual authentication protocols during the pairing and command validation phases.
Affected Products
Autel MaxiCharger AC Wallbox Commercial (specific version ranges not provided in available intelligence). The vulnerability affects installations where Bluetooth connectivity is enabled. Exact CPE strings were not provided in the supplied data; however, the affected product would be identifiable as 'Autel MaxiCharger AC Wallbox' with product type 'Commercial'. A vendor advisory from Autel or Zigbee Alliance (original CVE reporter) would be required to identify specific affected firmware versions and remediation paths. Interested parties should consult Autel's official security advisories or CISA vulnerability databases for precise version information.
Remediation
Specific patch versions and availability dates were not provided in the supplied intelligence. Organizations should: (1) Contact Autel support directly to obtain patched firmware versions for MaxiCharger AC Wallbox Commercial; (2) Review Autel's official security advisory (associated with ZDI-CAN-26353) for version-specific fixes; (3) If patches are not immediately available, implement compensating controls such as disabling Bluetooth pairing on wallboxes in untrusted environments, restricting physical proximity access, or isolating charging infrastructure on segmented networks; (4) Monitor the affected systems for unauthorized pairing attempts using any available logging/alerting mechanisms. Vendor advisories and patch availability should be obtained from Autel's official security channels or CISA's CVE tracking system.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today