CVE-2025-5830

| EUVD-2025-28672 HIGH
2025-06-25 [email protected]
8.8
CVSS 3.0
Share

CVSS Vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-28672
CVE Published
Jun 25, 2025 - 18:15 nvd
HIGH 8.8

Tags

RCE Buffer Overflow Maxicharger Single Charger Firmware Maxicharger Dc Compact Mobile Firmware Maxicharger Dh480 Firmware Maxicharger Ac Ultra Firmware Maxicharger Ac Elite Business C50 Firmware Maxicharger Dc Hipower Firmware Maxicharger Dc Fast Firmware Maxicharger Ac Pro Firmware Maxicharger Dc Compact Pedestal Firmware

Description

Autel MaxiCharger AC Wallbox Commercial DLB_SlaveRegister Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Wallbox Commercial EV chargers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DLB_SlaveRegister messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26327.

Analysis

CVE-2025-5830 is a heap-based buffer overflow vulnerability in Autel MaxiCharger AC Wallbox Commercial EV chargers affecting the DLB_SlaveRegister message handler. Network-adjacent attackers can execute arbitrary code without authentication due to insufficient input validation on user-supplied data length before copying to a fixed-length buffer. This is a critical vulnerability affecting critical infrastructure (EV charging stations) with a CVSS score of 8.8 and high real-world exploitability due to the unauthenticated, network-adjacent attack vector.

Technical Context

The vulnerability exists in the DLB_SlaveRegister message processing logic within Autel MaxiCharger AC Wallbox Commercial firmware. The root cause is CWE-122 (Heap-based Buffer Overflow), a classic memory safety issue where user-supplied message data is copied to a fixed-length heap buffer without prior length validation. This occurs in a network-accessible protocol handler, likely part of the device's management or diagnostic interface. The Modbus-like naming (DLB_SlaveRegister) suggests this may be related to industrial control protocol message handling. The heap allocation context makes exploitation potentially more reliable than stack overflows, as attackers can predict heap layout and craft payloads to overwrite adjacent heap metadata or function pointers. No specific CPE string was provided in the source data, but affected devices are identified as: Autel MaxiCharger AC Wallbox Commercial (model/version specifics would be found in vendor advisories).

Affected Products

MaxiCharger AC Wallbox Commercial (Specific version information not provided in source data)

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

CVE-2025-5830 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy