Skip to main content

Maxicharger Ac Elite Business C50 Firmware EUVDEUVD-2025-28667

| CVE-2025-5825 HIGH
Security Version Number Mutable to Older Versions (CWE-1328)
2025-06-25 zdi-disclosures@trendmicro.com
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-28667
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
CVE Published
Jun 25, 2025 - 18:15 nvd
HIGH 7.5

DescriptionCVE.org

Autel MaxiCharger AC Wallbox Commercial Firmware Downgrade Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability.

The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a firmware image before using it to perform an upgrade. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the device. Was ZDI-CAN-26354.

AnalysisAI

CVE-2025-5825 is a firmware downgrade remote code execution vulnerability in Autel MaxiCharger AC Wallbox Commercial charging stations that allows network-adjacent attackers with Bluetooth pairing capability to execute arbitrary code by uploading a malicious firmware image without proper validation. The vulnerability has a CVSS score of 7.5 (High) with high confidentiality, integrity, and availability impact, though exploitation requires prior Bluetooth device pairing. This is a ZDI-coordinated disclosure (ZDI-CAN-26354) affecting commercial charging infrastructure.

Technical ContextAI

The vulnerability exists in the firmware update mechanism of Autel MaxiCharger AC Wallbox Commercial units, a popular commercial EV charging station platform. The root cause is classified under CWE-1328 (Inadequate Implementation of Security Features in Firmware), specifically the lack of cryptographic signature verification or integrity validation before applying firmware updates. The attack vector is Adjacent Network (AV:A), indicating the attacker must first establish Bluetooth connectivity to the device—a pairing requirement that represents a significant prerequisite. The firmware update process accepts and applies untrusted firmware images without proper authentication, allowing an attacker who has paired a malicious Bluetooth device to downgrade or replace the firmware with a compromised version containing arbitrary code execution payloads.

RemediationAI

Immediate remediation steps: (1) Apply firmware updates from Autel addressing CVE-2025-5825 once released—monitor Autel's official security advisories for patched firmware versions; (2) Interim mitigations include disabling Bluetooth pairing on units where not operationally required, implementing network segmentation to isolate charging station management interfaces, and restricting Bluetooth device pairing to authorized personnel only; (3) Review Bluetooth pairing logs and revoke any unauthorized paired devices; (4) If available, implement signed firmware update verification at the network level before devices receive updates; (5) Coordinate with Autel support for patch availability timelines and staged deployment procedures for commercial fleets. Workarounds may include air-gapping management access, disabling remote firmware update capabilities if local update remains available, and physical security controls around charging stations to prevent unauthorized Bluetooth device proximity.

Share

EUVD-2025-28667 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy