Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Autel MaxiCharger AC Wallbox Commercial Technician API Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. An attacker must first obtain a low-privileged authorization token in order to exploit this vulnerability.
The specific flaw exists within the implementation of the Autel Technician API. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-26325.
AnalysisAI
CVE-2025-5822 is a privilege escalation vulnerability in the Autel MaxiCharger AC Wallbox Commercial Technician API that allows authenticated attackers to escalate from low-privileged users to higher privilege levels, potentially gaining unauthorized access to administrative functions and sensitive charging station data. The vulnerability requires an attacker to first obtain a valid low-privileged API token, after which they can bypass authorization controls to access restricted resources. With a CVSS score of 8.8 and network-accessible attack vector, this represents a significant risk to commercial EV charging infrastructure.
Technical ContextAI
The vulnerability exists in Autel's Technician API implementation for MaxiCharger AC Wallbox Commercial units, which are networked EV charging stations. The root cause is classified under CWE-863 (Incorrect Authorization), indicating the API fails to properly verify that an authenticated user has permission to access requested resources beyond their assigned privilege level. This is a classic authorization flaw where the API likely performs authentication (verifying identity via token) but lacks sufficient authorization checks (verifying the authenticated user's permissions for specific actions). The Technician API is a remote management interface used for diagnostics, configuration, and monitoring of commercial charging stations, making it a high-value target. The vulnerability affects the commercial variant of Autel's wallbox products, which integrate into fleet management and commercial charging networks.
RemediationAI
Specific patch versions were not provided in the CVE description. Recommended actions: (1) Contact Autel support immediately to obtain patched firmware versions for affected MaxiCharger AC Wallbox Commercial units; (2) If patches are not yet available, implement network-level access controls restricting Technician API exposure to trusted administrative networks only, ideally behind VPN; (3) Rotate all low-privileged API tokens currently in use, implement token expiration policies, and audit token usage logs for unauthorized escalation attempts; (4) Disable the Technician API if not actively required for operations; (5) Monitor for suspicious API calls from low-privilege accounts attempting to access high-privilege resources; (6) Implement request signing or mutual TLS for API authentication to increase exploitation difficulty. Vendor advisory with patch availability should be obtained directly from Autel's security advisory page or PSIRT contact.
CVE-2025-5830 is a heap-based buffer overflow vulnerability in Autel MaxiCharger AC Wallbox Commercial EV chargers affec
CVE-2025-5827 is a stack-based buffer overflow vulnerability in the ble_process_esp32_msg function of Autel MaxiCharger
CVE-2025-6678 is an unauthenticated remote information disclosure vulnerability in Autel MaxiCharger AC Wallbox Commerci
CVE-2025-5825 is a firmware downgrade remote code execution vulnerability in Autel MaxiCharger AC Wallbox Commercial cha
CVE-2025-5824 is an authentication bypass vulnerability in Autel MaxiCharger AC Wallbox Commercial that allows network-a
Autel MaxiCharger AC Wallbox Commercial autocharge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This
Autel MaxiCharger AC Wallbox Commercial wLength Buffer Overflow Remote Code Execution Vulnerability. This vulnerability
Autel MaxiCharger AC Wallbox Commercial Serial Number Exposed Dangerous Method Information Disclosure Vulnerability. Thi
CVE-2025-5826 is a security vulnerability (CVSS 6.3) that allows network-adjacent attackers. Remediation should follow s
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-28665