Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Pile API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-26352.
AnalysisAI
CVE-2025-6678 is an unauthenticated remote information disclosure vulnerability in Autel MaxiCharger AC Wallbox Commercial charging stations affecting the Pile API endpoint. An attacker can remotely access sensitive information including credentials without requiring authentication, enabling credential theft and potential further compromise of the charging infrastructure. The vulnerability has a CVSS 7.5 severity rating reflecting high confidentiality impact, and the lack of authentication requirements makes exploitation trivial.
Technical ContextAI
The vulnerability resides in the Pile API of Autel MaxiCharger AC Wallbox Commercial units, which are networked electric vehicle charging stations designed for commercial deployment. The root cause is classified as CWE-306 (Missing Authentication for Critical Function), indicating the Pile API endpoint fails to enforce authentication mechanisms before exposing sensitive operational data. The affected systems are networked charging appliances that communicate via HTTP/REST APIs; the lack of authentication means any network-accessible attacker (local network or internet-routable depending on deployment) can directly query API endpoints without credentials. This is a fundamental API security flaw where sensitive operations or data retrieval are exposed without access controls, a common issue in IoT and charging infrastructure devices that may prioritize ease-of-use over security.
RemediationAI
- Immediate: Restrict network access to Pile API endpoints using firewall rules, network segmentation, or IP allowlisting if the charging stations are not required to be internet-accessible. Isolate MaxiCharger AC Wallbox Commercial units to trusted networks only. 2. Urgent: Contact Autel support for available firmware patches or security updates addressing CWE-306 authentication enforcement. Check Autel's security advisory portal for CVE-2025-6678 patch availability and deployment instructions. 3. Short-term: If patches are unavailable, implement API gateway authentication or reverse proxy controls (e.g., nginx, WAF) in front of the Pile API endpoint to enforce authentication before allowing access. 4. Monitoring: Audit logs for unauthorized API access attempts to the Pile API; rotate any credentials that may have been exposed via this vulnerability. 5. Long-term: Migrate to patched firmware versions once available and implement ongoing API security testing as part of the charging infrastructure maintenance schedule.
CVE-2025-5830 is a heap-based buffer overflow vulnerability in Autel MaxiCharger AC Wallbox Commercial EV chargers affec
CVE-2025-5827 is a stack-based buffer overflow vulnerability in the ble_process_esp32_msg function of Autel MaxiCharger
CVE-2025-5822 is a privilege escalation vulnerability in the Autel MaxiCharger AC Wallbox Commercial Technician API that
CVE-2025-5825 is a firmware downgrade remote code execution vulnerability in Autel MaxiCharger AC Wallbox Commercial cha
CVE-2025-5824 is an authentication bypass vulnerability in Autel MaxiCharger AC Wallbox Commercial that allows network-a
Autel MaxiCharger AC Wallbox Commercial autocharge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This
Autel MaxiCharger AC Wallbox Commercial wLength Buffer Overflow Remote Code Execution Vulnerability. This vulnerability
Autel MaxiCharger AC Wallbox Commercial Serial Number Exposed Dangerous Method Information Disclosure Vulnerability. Thi
CVE-2025-5826 is a security vulnerability (CVSS 6.3) that allows network-adjacent attackers. Remediation should follow s
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-28757