How to fix EUVD-2025-28665?

Within 24 hours: Inventory all Autel MaxiCharger AC Wallbox Commercial installations and document their network connectivity and administrative access requirements. Within 7 days: Implement network segmentation to restrict API access to the Technician API endpoints, disable remote API access if not operationally critical, and enforce strong authentication controls on low-privileged accounts. Within 30 days: Monitor vendor communications for patch availability, conduct a full risk assessment of affected installations, and evaluate alternative charging station solutions if patch timeline extends beyond acceptable risk tolerance.

Is Maxicharger Ac Ultra Firmware affected by EUVD-2025-28665?

A high-severity privilege escalation vulnerability in Autel MaxiCharger AC Wallbox Commercial charging stations could allow attackers with basic user access to gain administrative control over affected infrastructure.

EUVD-2025-28665

| CVE-2025-5822 HIGH

2025-06-25 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-28665

CVE Published

Jun 25, 2025 - 18:15 nvd

HIGH 8.8

Description

Autel MaxiCharger AC Wallbox Commercial Technician API Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. An attacker must first obtain a low-privileged authorization token in order to exploit this vulnerability. The specific flaw exists within the implementation of the Autel Technician API. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-26325.

Analysis

CVE-2025-5822 is a privilege escalation vulnerability in the Autel MaxiCharger AC Wallbox Commercial Technician API that allows authenticated attackers to escalate from low-privileged users to higher privilege levels, potentially gaining unauthorized access to administrative functions and sensitive charging station data. The vulnerability requires an attacker to first obtain a valid low-privileged API token, after which they can bypass authorization controls to access restricted resources. With a CVSS score of 8.8 and network-accessible attack vector, this represents a significant risk to commercial EV charging infrastructure.

Technical Context

The vulnerability exists in Autel's Technician API implementation for MaxiCharger AC Wallbox Commercial units, which are networked EV charging stations. The root cause is classified under CWE-863 (Incorrect Authorization), indicating the API fails to properly verify that an authenticated user has permission to access requested resources beyond their assigned privilege level. This is a classic authorization flaw where the API likely performs authentication (verifying identity via token) but lacks sufficient authorization checks (verifying the authenticated user's permissions for specific actions). The Technician API is a remote management interface used for diagnostics, configuration, and monitoring of commercial charging stations, making it a high-value target. The vulnerability affects the commercial variant of Autel's wallbox products, which integrate into fleet management and commercial charging networks.

Affected Products

Autel MaxiCharger AC Wallbox Commercial (specific affected versions not provided in the CVE description, but likely includes current and recent firmware versions). The product is a commercial-grade AC electric vehicle charging station with networked management capabilities. Affected installations include those with the Technician API enabled and exposed to network access. While CPE strings were not provided in the source data, the affected product would typically be indexed as 'autel:maxicharger_ac_wallbox_commercial' or similar. Operators of commercial EV charging networks, fleet operators with Autel infrastructure, and automotive dealerships with Autel charging systems are affected populations. No specific version restrictions were mentioned, suggesting the vulnerability may affect multiple firmware versions until patched.

Remediation

Specific patch versions were not provided in the CVE description. Recommended actions: (1) Contact Autel support immediately to obtain patched firmware versions for affected MaxiCharger AC Wallbox Commercial units; (2) If patches are not yet available, implement network-level access controls restricting Technician API exposure to trusted administrative networks only, ideally behind VPN; (3) Rotate all low-privileged API tokens currently in use, implement token expiration policies, and audit token usage logs for unauthorized escalation attempts; (4) Disable the Technician API if not actively required for operations; (5) Monitor for suspicious API calls from low-privilege accounts attempting to access high-privilege resources; (6) Implement request signing or mutual TLS for API authentication to increase exploitation difficulty. Vendor advisory with patch availability should be obtained directly from Autel's security advisory page or PSIRT contact.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: 0

EUVD-2025-28665 vulnerability details – vuln.today

Back

EUVD-2025-28665

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-28665

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code