Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Autel MaxiCharger AC Wallbox Commercial Origin Validation Error Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Autel MaxiCharger AC Wallbox Commercial. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of bluetooth pairing requests. The issue results from insufficient validation of the origin of commands. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26353.
AnalysisAI
CVE-2025-5824 is an authentication bypass vulnerability in Autel MaxiCharger AC Wallbox Commercial that allows network-adjacent attackers to bypass authentication through insufficient origin validation in Bluetooth pairing requests. The vulnerability (formerly ZDI-CAN-26353) has a CVSS score of 7.5 with high confidentiality, integrity, and availability impact; exploitation requires prior ability to pair a malicious Bluetooth device with the target system. No KEV or active exploitation data was provided in the supplied intelligence, and patch availability status is not documented in the available information.
Technical ContextAI
The vulnerability exists in the Bluetooth pairing request handling mechanism of Autel MaxiCharger AC Wallbox Commercial. The root cause is classified under CWE-346 (Origin Validation Error), which encompasses insufficient verification that commands originate from legitimate sources before processing them. In the context of Bluetooth-enabled charging infrastructure, the wallbox fails to properly authenticate the origin of pairing requests, allowing an attacker who has already obtained proximity and pairing capability to send spoofed or maliciously crafted commands that bypass the device's authentication layer. This is particularly critical for charging infrastructure as it exposes vehicle charging control and potentially energy management systems to unauthorized manipulation. The attack surface is limited to devices that support Bluetooth connectivity and that have insufficient mutual authentication protocols during the pairing and command validation phases.
RemediationAI
Specific patch versions and availability dates were not provided in the supplied intelligence. Organizations should: (1) Contact Autel support directly to obtain patched firmware versions for MaxiCharger AC Wallbox Commercial; (2) Review Autel's official security advisory (associated with ZDI-CAN-26353) for version-specific fixes; (3) If patches are not immediately available, implement compensating controls such as disabling Bluetooth pairing on wallboxes in untrusted environments, restricting physical proximity access, or isolating charging infrastructure on segmented networks; (4) Monitor the affected systems for unauthorized pairing attempts using any available logging/alerting mechanisms. Vendor advisories and patch availability should be obtained from Autel's official security channels or CISA's CVE tracking system.
CVE-2025-5830 is a heap-based buffer overflow vulnerability in Autel MaxiCharger AC Wallbox Commercial EV chargers affec
CVE-2025-5827 is a stack-based buffer overflow vulnerability in the ble_process_esp32_msg function of Autel MaxiCharger
CVE-2025-5822 is a privilege escalation vulnerability in the Autel MaxiCharger AC Wallbox Commercial Technician API that
CVE-2025-6678 is an unauthenticated remote information disclosure vulnerability in Autel MaxiCharger AC Wallbox Commerci
CVE-2025-5825 is a firmware downgrade remote code execution vulnerability in Autel MaxiCharger AC Wallbox Commercial cha
Autel MaxiCharger AC Wallbox Commercial autocharge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This
Autel MaxiCharger AC Wallbox Commercial wLength Buffer Overflow Remote Code Execution Vulnerability. This vulnerability
Autel MaxiCharger AC Wallbox Commercial Serial Number Exposed Dangerous Method Information Disclosure Vulnerability. Thi
CVE-2025-5826 is a security vulnerability (CVSS 6.3) that allows network-adjacent attackers. Remediation should follow s
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-19124